RFC 2350

Version: 1.6

Date: Wed Apr 04 10:00:00 CEST 2024

Author: Markus Hoffmann (markus.hoffmann@ages.at)

1. Document information

This document contains a description of Austrian Health CERT according to RFC 2350. It provides basic information about the CERT, the ways it can be contacted, describes its responsibilities and the services offered.

1.1 Date of last update

Wed Apr 04 10:00:00 CEST 2024

1.2 Distribution list for notifications

There are no lists defined for notifications about updates to this document.

1.3 Locations where this document may be found

The current version of this document can always be found at: https://health-cert.at/wp-content/uploads/2024/04/rfc2350_austrian_health_cert_v1-6.txt
For validation purposes, a PGP signed ASCII version of this document is located: https://health-cert.at/wp-content/uploads/2024/04/rfc2350_austrian_health_cert_v1-6.txt.asc
The key used for signing is the AHC key as listed under 2.8.

2. Contact information

2.1 Name of the team

Austrian Health CERT (AHC)

2.2 Address

Austrian Health CERT
Agentur für Gesundheit und Ernährungssicherheit GmbH
Spargelfeldstraße 191
1210 Vienna
Austria

2.3 Time zone

We are located in the Central European Timezone (CET) which is GMT+0100 (+0200 during day-light saving time).

2.4 Telephone number

+43 (0) 720 506000

2.6 Other telecommunication

-

2.7 Electronic mail address

kontakt@health-cert.at

2.8 Public keys and encryption information

AHC uses a master signing key to sign all keys used for operational purposes.

This trust anchor is: 

pub   rsa4096/1F5A075D5F970551 2024-02-13 [SC] [verfällt: 2029-02-11]
  Schl.-Fingerabdruck = DE7D 8EAC 0B20 39A1 0BB2  5ABF 1F5A 075D 5F97 0551
uid                            health-cert.at Master Key <only-signing-no-mail@health-cert.at>
uid                            a-healthcert.at Master Key <only-signing-no-mail@a-healthcert.at>
sub   rsa4096/6C660E29CD5AE181 2024-02-13 [E] [verfällt: 2029-02-11]

https://health-cert.at/wp-content/uploads/2024/04/masterkey_0x5F970551_public.key

Please DO NOT use this key for communications with us. All official communication by AHC will be signed by the current team key, which is as of February 2024:

https://health-cert.at/wp-content/uploads/2024/04/teamkey_0x38CD1BA1_public.key

Encrypted communications with AHC should use this - and only this - operational key.

pub   rsa4096/84D7D9CD38CD1BA1 2024-02-13 [SC] [verfällt: 2025-03-09]
  Schl.-Fingerabdruck = FC98 98CE C259 C1A6 3625  915C 84D7 D9CD 38CD 1BA1
uid                            health-cert.at (General Communications) <kontakt@health-cert.at>
uid                            health-cert.at <reports@health-cert.at>
uid                            a-healthcert.at <reports@a-healthcert.at>
uid                            a-healthcert.at (General Communications) <kontakt@a-healthcert.at>
sub   rsa4096/EE27BEADA5E4B45A 2024-02-13 [E] [verfällt: 2025-03-09]

Since the team key and the master signing key expire regularly, AHC will always sign younger master signing keys with the older master signing keys as well. The current master signing key always signs the team key.


2.9 Team members

The team lead of AHC is Markus Hoffmann.

2.10 Other information

-

2.11 Points of customer contact

The preferred method for contacting Austrian Health CERT is via e-mail: kontakt@health-cert.at

In order for reports to fall under the procedures of the NIS law, they should be submitted via https://nis.cert.at (for other reports, please use e-mail).

Austrian Health CERT hours of operation are generally restricted to local regular business hours: Mon-Fri (except public holidays and Dec 24th/31st), 9 a.m. -17 p.m. CET/CEST.

3. Charter

3.1 Mission statement

The purpose of Austrian Health CERT (AHC) is to coordinate IT-Security efforts for the health sector in Austria.

3.2 Constituency

The constituency of AHC are primarily operators of health institutions and control centres for ambulance services.

Note that usually no direct support will be given to end users; they are expected to contact their ISP, system administrator, network administrator, or department head for assistance.

3.3 Sponsorship and/or affiliation

AHC is an initiative of the Cybersecurity Committee for eHealth (CSAeH). Funding members are:

* Austrian Federal Ministry of Social Affairs, Health, Care and Consumer Protection,
* eHealth executives of the federal states
* eHealth executives of the Austrian Social Insurance

3.4 Authority

The main purpose of AHC in incident handling is the coordination of incident response. As such, we can only advise our constituency and have no authority to demand certain actions.

4. Policies

4.1 Types of incidents and level of support

AHC addresses all types of IT-Security incidents, which occur or threaten to occur in our constituency (see 3.2) and which require cross-organizational coordination. The level of support given by AHC will vary depending on the type and severity of the incident or issue, the type of constituent, the size of the user community affected, and our resources at the time.

AHC is committed to keeping its constituency informed of potential vulnerabilities and, where possible, will inform this community of such vulnerabilities before they are actively exploited.

Overall, the primary role of AHC during incidents is information exchange and coordination, and not on-site incident response.

4.2 Co-operation, interaction and disclosure of information

AHC will cooperate with other organizations in the field of IT-Security. This cooperation also includes and often requires the exchange of vital information regarding security incidents and vulnerabilities. Nevertheless, AHC will protect the privacy of reporters, partners and our constituents, and therefore (under normal circumstances) pass on information in an anonymized way only unless other contractual agreements or laws apply. AHC operates under the restrictions imposed by Austrian law. This involves careful handling of personal data as required by Austrian Data Protection law, but it is also possible that - according to Austrian law - AHC may be forced to disclose information due to a court order.

AHC treats all submitted information as confidential per default, and will only forward it to concerned parties in order to resolve specific incidents when consent is implicit or expressly given.

For example: incoming report "Malware on www.example.com/malware, please get it cleaned up". In this case, we would forward the information only to the concerned parties (domain-holder, hoster/ISP, appropriate CERTs) to help them quickly fix the problem. We will not forward information about incidents to government authorities or the press without explicit prior permission by the submitting party.

4.3 Communication and authentication

For normal communication, not containing sensitive information, AHC might use conventional methods like unencrypted e-mail. For secure communication PGP-encrypted e-mail or telephone will be used. If it is necessary to authenticate a person before communicating, this can be done either through existing webs of trust (e.g. FIRST, TI, CNW) or by other methods like call-back, mail-back or even face-to-face meeting if necessary.

5. Services

5.1 Incident response

AHC will assist IT-Security teams in handling the technical and organizational aspects of incidents. In particular, it will provide assistance or advice with respect to the following aspects of incident management:

5.1.1. Incident triage

* determining whether an incident is authentic
* assessing and prioritizing the incident

5.1.2. Incident coordination

* determining the involved organizations
* contacting the involved organizations to investigate the incident and take the appropriate steps
* hosting coordination meetings or briefings
* facilitating contact to other parties which can help resolve the incident
* sending reports to other CERT

We mainly see ourselves as information hub which knows where to send the right incident reports to in order to help and facilitate the clean-up of IT security incidents.

5.1.3. Incident resolution

* advising local security teams on appropriate actions along our contingencies
* following up on the progress of the concerned local security teams
* asking for reports
* reporting back

AHC will also collect statistics about incidents within its constituency.

5.2 Proactive activities

AHC tries to

* raise security awareness in its constituency
* collect contact information of local security teams
* publish announcements concerning serious security threats relating to the health sector
* observe current trends in technology
* distribute relevant knowledge to the constituency
* provide forums for community building and information exchange within the constituency

5.3 Service levels

AHC will always strive to react to incoming incident reports from humans within one business day. Due to current staffing levels this cannot be guaranteed, though. If you haven't received feedback to an incident report after two business days, we ask that you contact us again.

Auto-generated reports and data-feeds will be handled as automatically as possible.

6. Incident reporting forms

The Austrian Health CERT is at this stage NOT a appointed sectoral CERT by law. 

If you want to contact us use kontakt@health-cert.at under consideration of encryption (2.8 and 4.3).

7. Disclaimers

While every precaution will be taken in the preparation of information, notifications and alerts, AHC assumes no responsibility for errors or omissions, or for damages resulting from the use of the information contained within.