Healthcare Cybersecurity and Risk Culture

Healthcare Cybersecurity and Risk Culture

Recently, we wrote about a study showing a connection between an increase in death rates and cybersecurity policies implemented after a data breach in the healthcare industry. We talked about the importance of ensuring that cybersecurity and operational interests are aligned. However, that study raises another, equally important point: hospitals shouldn’t wait for a breach to occur before implementing appropriate cybersecurity controls. This is a lesson that every industry should learn and is one of the main principles behind cyber resiliency: instead of just trying to prevent the worst from happening, we need to create a risk culture that assumes the worse will happen, then take steps to minimize its impact on essential operations.

And when it comes to the importance of cybersecurity and resiliency for our healthcare industry, the stakes couldn’t be higher. Within a period of two months in 2017, the healthcare industry across the globe was brought to its knees by two unrelated ransomware attacks. Strangely, neither of these attacks intended to target healthcare organizations. Instead, each attack contained a self-replicating virus that accidentally spread beyond their intended targets. But no matter the intentions, these attacks caused hundreds of millions of dollars in damage and affected 40% of healthcare delivery in the U.K.

Fast forward today and the potential consequences of such an attack—intentional or otherwise—on our healthcare system are clearer than ever. In his opening remarks at the CISA National Cybersecurity Summit, Josh Corman, visiting researcher at CISA and founder of I am the Calvary, put the stakes of healthcare cybersecurity into perspective. “In areas affecting the brain, the hearth, the lungs, where time matters, where minutes or hours could be the difference between life and death, mortality rates are affected if you can’t give time-sensitive health care.”

Corman joined CISA this spring to help assure the security of Operation Warp Speed, the U.S.’s initiative to rapidly develop and distribute vaccines, therapeutics, and diagnostics for COVID-19. “Now we need healthcare delivery more than we ever have,” Corman said, “Now an attack during a peak surge in traffic would be absolutely devastating.” And such attacks aren’t just hypothetical. According to one report, U.S. officials have already notified a number of healthcare companies about targeted threats. In particular, the biotech company Moderna, now in stage 3 of COVID-19 vaccine trails, has been targeted by hackers.

These examples drive home the potentially life and death implications of cyber resiliency. We can and should try and prevent attacks from happening, but the reality is that’s not enough. In his talk, Corman lamented a culture within healthcare cybersecurity to wait for “proof of harm” before taking corrective actions. Instead of waiting for harm to occur, Corman argued, a clear, “unmitigated pathway to harm” should be enough to trigger corrective action. This is a lesson that extends far beyond the healthcare industry. All organizations need to create a risk culture that acknowledges and prepares for the harsh reality that, in some shape or form, cyber incidents are going to happen. To prepare for this, Corman outlined a number of key questions every organizations should consider:

  1. How do you avoid failure?
  2. How do you capture, study, and learn from failure?
  3. How do you have a prompt and agile response to failure?
  4. How do you contain and isolate failure?

Today, attempts to hack, steal, and disrupt systems are not hypotheticals. They are the new normal. Alongside efforts to prevent cyber attacks, organizations needs to be prepared to minimize the impact these attacks will have on essential business and operations.

Supply Chains — Your Weakest Link?

With COVID-19, all businesses are getting their bearings in uncharted territory.  Trying to work through the changing restrictions.  Managing remote work forces.  Adapting to changing client needs.

As you go through your business continuity checklist or contingency plans, don’t forget to include your suppliers and related third parties in your considerations.  You might have the resources to weather this, but do they?  And, if a critical vendor to your supply chain is unable to deliver what does that do to your ability to deliver?

Make sure you take the time to evaluate your supply chain.  If you haven’t done so already, at minimum, take these steps:

  1. Prioritize your supply chain vendors: Go through all your vendors and ask yourself what would happen to your business if the vendor could not deliver.  Prioritize each vendor based on the risk they pose to you should their commitments fall through.
  2. Get on the phone with your highest risk vendors. Talk with them about this current situation.  Learn what strategies they have in place to respond to any potential disruptions to their workforce, operations or critical third-parties they have.  Get details and be prepared to probe as if they were part of your business.  Because, after all, they are.
  3. Treat those vendors like a partner. At this point, you need each other.  Be prepared to restructure deals or assist in other ways to help your vendor keep up its commitments.  It will help you keep clients and pay off in spades down the road.
  4. Don’t let quality control fall by the wayside. When stretched, certain things might fall short.  However, at the end of the day, you want to make sure you are delivering a reliable product to your customers.  Make sure you continue to do the right things to ensure your vendors are providing a quality product.
  5. Make contingencies. Some vendors will be there with you and for you (and you for them).  Some will not be able to.  It’s important to review the contractual commitments you have and to explore alternatives.  It may not be easy to switch horses in mid-stream, especially when the stream is raging, but you may not have any choice.

Napoleon once said that an army marches on its stomach, meaning that it is critical to focus on making sure it is well provisioned.  One could say that a company, indeed the entire the economy, marches on its supply chain.  Make sure you understand where it is strong and especially where it is weak.

The time you spend with your supply chain might make all the difference.

 

Bugs in-not-on the Mobile Windshield

These days, our smart phone is literally our life.  Everything we need (or think we need) is in it.  Everything we want to know or do can be done with it.

Of course, it is also a great way for the bad guys to get to you.   You may think you are downloading a “clean app” only to find it’s infected as last month’s news about the 25 million android phones infected with a whatsapp malware illustrates.

But in some cases, even if you are extra careful about downloading apps, your phone may already be infected.  The reason is that the smartphone you buy may already have 100 to 400 preinstalled apps that  were selected by the phone manufacturer.  As noted in a BlackHat presentation, these preinstalled apps have become a target of hackers because its a great way to distribute their malware as far and as fast as possible.  What can this malware do?  It could provide a means for remote access, key-logging or activity monitoring for starters.  Not necessarily what you want when your whole life revolves around your phone.

One key point is that hackers are not just focusing on the end-user, they are focused on embedding their malware through the supply chain, knowing that ultimately it will wind up with the target they are after.  Companies have to thoroughly vet the secure of the technologies they are using to build products and services for their customers.

And, of course, with smartphone users, practice good mobile hygiene by periodically pruning the apps you have on your phone, running anti-virus software (certainly for Android phones), keep the operating system up-to-date, use a password manager and VPN service when you are on the road.  And, like the airplane pre-flight instructions say, take care of your own phone first (but then) assist others — like with your children and their phones.