An article by author Nitin Natarajan, entitled, "How to prepare for cyberattacks that strike during a public health crisis", was featured yesterday (8/22) on the Healthcare IT News website. From the article: "Whether because of a nefarious manmade or natural disaster, hospital IT shops often find themselves strapped during a crisis. The government and private sector have already developed considerable resources to help. Here’s a look at those."
Among the most important topics covered in this important primer is preparedness. According to Natarajan: "The first step is to update your existing public health emergency plans to include a cyber element. These plans need to be exercised and corrective actions from those exercises should revise those policies. Similarly, cyber plans must be assessed to take into account public health emergencies." It goes on to provide information and resources to address attacks.
Derive Healthcare, the dedicated healthcare consulting practice of Derive Technologies, provides a wide-reaching portfolio of services surrounding cybersecurity, wireless security, device and system protection and more, in hospitals, other provider facilities and across care networks. Among Derive's offerings is a complete systems, data and security audit program, which provides a blueprint for the protection of healthcare organizations, with preparedness planning for crisis situations. Derive also partners with the leading technology manufacturers in general business systems and in point-of-care and other healthcare-specific IT.
How to prepare for cyberattacks that strike during a public health crisis
By Nitin Natarajan. August 22, 2017 10:59 AM.
Privacy & Security When large-scale cyberattacks happen, information security professionals should not just be looking at those incidents separate from non-cyber incidents because the next generation of attacks will coordinate the two.
Public health crises, whether naturally occurring or the result of an attack, provide a ripe environment for cyber exploitation. Bad actors want to steal personally identifiable information, financial or emergency response data and the potential opportunities increase significantly during disasters.
Know this: During a large-scale incident hospitals’ IT capabilities may need to be rapidly surged to handle volunteers and new staff, particularly those unfamiliar with your organization’s IT security operations.
We must ensure that the individuals on the front lines of our cyber defense efforts are also engaged and maintain a heightened sense of awareness during these emergencies.
Already available resources
Bioterrorism is not new to the United States. Whether it was the salmonella release in Oregon in 1984 or the failed attempts to poison the Chicago water supply in the 1970s, we have seen and will most likely continue to see these types of incidents on U.S. soil. And in the last few years, there have been a number of global public health emergencies like the influenza pandemic, Zika virus and Ebola outbreak.
The U.S.’s history of preparing for bioterrorism, not to mention the billions of government and taxpayer dollars spent, have created resources and strategies that hospitals should keep pace with and have access to during the next crisis.
The first step is to update your existing public health emergency plans to include a cyber element. These plans need to be exercised and corrective actions from those exercises should revise those policies. Similarly, cyber plans must be assessed to take into account public health emergencies.
Additional scrutiny should also be paid to potential breaches and attacks during times of heightened operations. Essentially, work already occurring in your organization in two independent spheres must be brought closer together and integrated during the steady state to successfully collaborate during emergencies.
Look to government resources
While these steps sound easy, they’ll require the support, and at times, direction from the most senior levels of your organization. Individuals responsible for looking at enterprise risk and mitigation must be willing to accept this new reality and prepare for what will happen in the future.
Federal, state, local, tribal and territorial governments and the private sector have established global biosurveillance capabilities, enhanced domestic laboratory capabilities and capacity, prepared our healthcare infrastructure for surges in patients, established stockpiles of medical countermeasures and countless other activities over the last two decades.
We’ve conducted thousands of exercises of all shapes and sizes and continue to maintain capability and capacity in times of dwindling resources. Some examples within these categories include:
Biosurveillance • Centers for Disease Control (CDC) National Syndromic Surveillance Program/BioSense Platform • Department of Defense Global Emerging Infections Surveillance and Response System • Department of Homeland Security National Biosurveillance Integration Center
- CDC Laboratory Response Network
- State/local chemical and biological laboratory capability/capacity
Medical Countermeasure stockpiles
- CDC Strategic National Stockpile
- CDC Chempack Program
- State/local/hospital stockpiles of medical countermeasures to biological and chemical agents
The exercises conducted have yielded many lessons learned. Hospitals have tested and exercised their ability to respond to a variety of situations including contaminated patients, natural disasters, power outages, active shooter events, and mass casualty events. The lessons learned from these events allowed them to revise their emergency plans to be stronger and better prepared for real-world events.
Not just patient data
In parallel with developing the aforementioned emergency resources, the healthcare industry has seen significant investments in IT infrastructure and security. As technology continues to evolve at a record pace, the threat of cyberattacks grow as well. Both insider and external threats seem to be constantly evolving and becoming more complex and coordinated. We’ve already seen the synthesis of coordinated cyber and ground attacks in military operations.
There have been attacks against the healthcare and public health sector for many years and as recently as May with the WannaCry ransomware attacks.
During a public health emergency, individuals might attempt to nefariously access other information. For example, hackers may want information on the location, quantity or shipping routes for medical countermeasures, if they feel they don’t have access to appropriate care. Foreign entities may be interested in developing a deeper understanding of available U.S. resources, while others might verify whether the data we’re sharing with partner nations matches what public systems are reporting. This type of international interest is also directed at state and local governments, which are perceived as having the same type of data — but on more vulnerable and potentially easier to access networks.
We will see naturally occurring and manmade biological events again. The best way to prepare for this next generation of attacks is to force these two worlds to collide. Only together, can we build and maintain a system to tackle this new frontier of challenges that are just out on the horizon.
(Copyright © 2017 Healthcare IT News, a publication of HIMSS Media. All Rights Reserved.)
Please contact a Derive Healthcare Security Specialist by calling (212) 363-1111, or by completing the form on this page (please specify "Healthcare Security" in the form's comments). You may also register for the HIMSS Healthcare Security Forum (Boston, MA, September 11 - 13, 2017) by clicking on this link.