Recently, we wrote about a study showing a connection between an increase in death rates and cybersecurity policies implemented after a data breach in the healthcare industry. We talked about the importance of ensuring that cybersecurity and operational interests are aligned. However, that study raises another, equally important point: hospitals shouldn’t wait for a breach to occur before implementing appropriate cybersecurity controls. This is a lesson that every industry should learn and is one of the main principles behind cyber resiliency: instead of just trying to prevent the worst from happening, we need to create a risk culture that assumes the worse will happen, then take steps to minimize its impact on essential operations.
And when it comes to the importance of cybersecurity and resiliency for our healthcare industry, the stakes couldn’t be higher. Within a period of two months in 2017, the healthcare industry across the globe was brought to its knees by two unrelated ransomware attacks. Strangely, neither of these attacks intended to target healthcare organizations. Instead, each attack contained a self-replicating virus that accidentally spread beyond their intended targets. But no matter the intentions, these attacks caused hundreds of millions of dollars in damage and affected 40% of healthcare delivery in the U.K.
Fast forward today and the potential consequences of such an attack—intentional or otherwise—on our healthcare system are clearer than ever. In his opening remarks at the CISA National Cybersecurity Summit, Josh Corman, visiting researcher at CISA and founder of I am the Calvary, put the stakes of healthcare cybersecurity into perspective. “In areas affecting the brain, the hearth, the lungs, where time matters, where minutes or hours could be the difference between life and death, mortality rates are affected if you can’t give time-sensitive health care.”
Corman joined CISA this spring to help assure the security of Operation Warp Speed, the U.S.’s initiative to rapidly develop and distribute vaccines, therapeutics, and diagnostics for COVID-19. “Now we need healthcare delivery more than we ever have,” Corman said, “Now an attack during a peak surge in traffic would be absolutely devastating.” And such attacks aren’t just hypothetical. According to one report, U.S. officials have already notified a number of healthcare companies about targeted threats. In particular, the biotech company Moderna, now in stage 3 of COVID-19 vaccine trails, has been targeted by hackers.
These examples drive home the potentially life and death implications of cyber resiliency. We can and should try and prevent attacks from happening, but the reality is that’s not enough. In his talk, Corman lamented a culture within healthcare cybersecurity to wait for “proof of harm” before taking corrective actions. Instead of waiting for harm to occur, Corman argued, a clear, “unmitigated pathway to harm” should be enough to trigger corrective action. This is a lesson that extends far beyond the healthcare industry. All organizations need to create a risk culture that acknowledges and prepares for the harsh reality that, in some shape or form, cyber incidents are going to happen. To prepare for this, Corman outlined a number of key questions every organizations should consider:
- How do you avoid failure?
- How do you capture, study, and learn from failure?
- How do you have a prompt and agile response to failure?
- How do you contain and isolate failure?
Today, attempts to hack, steal, and disrupt systems are not hypotheticals. They are the new normal. Alongside efforts to prevent cyber attacks, organizations needs to be prepared to minimize the impact these attacks will have on essential business and operations.