How healthcare can strengthen its own cybersecurity resilience
Taylor Lehmann
Director, Office of the CISO, Google Cloud
Seth Rosenblatt
Security Editor, Google Cloud
With all the crises that have buffeted the healthcare and life sciences industries the past two years, one that often gets overlooked is the unceasing wave of cyberattacks aimed at medical, research, educational, and public health organizations.
These attacks have shut down critical systems, attempted to steal vaccines and other research, and even halted paychecks from reaching front-line healthcare workers. Coming at the wrong time, these attacks can be as detrimental as a new outbreak or shortage of supplies by causing delays in care, or worse; distracted administrators are forced to tackle network and computer systems failures when so much else should have their attention.
Malicious attackers brought down the systems of at least 560 healthcare facilities and providers in 2020 alone, demanding they pay to restore care operations. These facilities faced difficult choices. Do they divert patients experiencing medical emergencies to facilities hours away? Should they send patients home and delay their care until IT administrators recover their systems? Should money allocated to treat patients instead be paid to criminal organizations in exchange for restoring operations?
These decisions are never easy. Attackers are targeting healthcare and life science organizations at this time precisely because they know how vulnerable they are and how critical their work is—always, but especially now.
Because threats are always evolving, organizations need to develop an ever-maturing security posture that helps maintain resilience to new threats… these practices are an essential starting point that healthcare organizations of any size or level of technical sophistication can begin implementing today.
The best way to put an end to these persistent threats and preserve patient care and safety is to improve the resilience of healthcare organizations’ IT systems so that they can overcome these attacks.
When it comes to advising healthcare institutions on cybersecurity best practices, they might do well to look to their own industry for inspiration. There is much to be gained from an approach akin to exposure therapy.
In exposure therapy, a trained clinician works safely and carefully to expose a patient to stimulus that creates extreme, temporary stress. The long-term goal is to help the patient identify, manage, and eventually eliminate stress through regular exposure.
Concepts taken from this approach can be applied in ways that can help an organization improve its cybersecurity posture, too. By simulating cybersecurity threats and resulting operational impacts regularly, security leaders can help their organizations get better at identifying, managing and eventually eliminating entire categories of threats to their organization.
Since cybersecurity threats are always evolving, organizations need to develop an ever-maturing security posture that helps maintain resilience to new threats. A key part of this is adopting basic security controls and improving them over time. These practices are an essential starting point that healthcare organizations of any size or level of technical sophistication can begin implementing today.
In this first of a series of blogs on the cybersecurity challenges facing healthcare organizations, we examine how they can improve their resilience to cybersecurity threats. Given how technologically advanced these healthcare institutions are, taking these steps should not only improve security outcomes but also business outcomes and—above all—patient care.
Getting cybersecurity resilience going
Pick a framework to establish posture and begin to build the basics
Leaders should pick a cybersecurity framework to understand and measure the effectiveness of their programs and specifically their ability to avoid catastrophic events, like a ransomware attack, on their infrastructure. Some frameworks, like the NIST Cybersecurity Framework and the NIST CSF Ransomware Profile, provide a place for security leaders to benchmark their organization’s ability to address specific types of cyberattacks, like ransomware—and offer guidance to help stop those threats.
A framework provides an important mental model for understanding and mapping one's controls and abilities against threats they face. Most importantly, organizations that take the time to understand the maturity of their existing security program will have a comprehensive initial assessment they can use to inform their organizations, its decision makers, and compare all future progress against.
Bottom line: Benchmark the current security program, choose a framework to apply, and use it to track maturity and pinpoint needed areas of growth.
Make assets more visible
In order to develop more resilient systems, we must prioritize efforts to build “muscle” in visibility engineering. Visibility engineering focuses on the design and implementation of mechanisms that deliberately capture and report asset data, which also sheds light onto a set of subjects such as server, applications, and data, as well as their component parts and, crucially, where those parts come from.
So to figure out what an organization’s key assets worth protecting are, we must establish what an asset’s value is. In the past, an asset’s true value reflected how much it cost to replace it and resolve any related compliance failures.
Today, the true value of any healthcare organization’s assets intersect patient safety, research confidentiality and integrity, and the ability to share data across care settings. A critical part of that equation is the role the asset plays in operational structural awareness, top-level business risks associated with those operations, and any corresponding security vulnerabilities.
To do this, map out key organizational assets relied on to deliver critical healthcare services, and work to constantly improve discovering and tracking them. Leaders need to consider internal and external perspectives on what makes an asset valuable by carefully analyzing where they are deployed - and the supply chains that produced them in the first place.
While implementing effective visibility engineering practices can be difficult for most on-premise infrastructures, they are much easier to develop and deploy in cloud environments. Teams with basic skills using cloud APIs and built-in data analytics to collate and produce reliable data can gain more visibility into their assets with less effort than on-prem.
Bottom line: Infrastructure- and security-as-code mechanisms, composable application architecture, and deployment integrity-checking practices can surface useful insights on resilience vulnerabilities and prevent asset compromise. Google Cloud has developed additional, multiple resources on how to improve supply chain visibility.
3 practices to better understand systems and assets
Healthcare security leaders understandably have kept their focus on maintaining the confidentiality, availability, and integrity of protected health information as a first principle, largely due to compliance mandates like the Health Insurance Portability and Accountability Act.
However, compliance is not enough. Leaders should ensure their 2022 plans incorporate realistic defense and response priorities for dealing with cybersecurity attacks, and balance their security investments to address the areas where they are most susceptible to the highest impact events. While compliance mandates are important, it is equally important to focus on practices that maintain and improve resilience and operational stability in the face of these threats.
1. Model your threats. Threat modeling on-premise and cloud workflows helps enumerate and understand how relevant threats affect your operations, and illuminate the avenues threat actors will use to work against your defenses. Adopting threat modeling as a regular practice for onboarding new technologies, service providers, and business processes, and also as part of daily operations, will help identify top tactical security priorities. Doing this as a regular practice in 2022 will help identify and close vulnerabilities that threaten the resilience of health organizations.
Start small and build up. Organizations who do great threat modeling all have one thing in common - they have started threat modeling.
Begin by asking, “What could go wrong and how can we stop it? How can we keep going even if something goes wrong?” The Software Engineering Institute (SEI) has compiled a list of excellent resources to consider when conducting threat modeling activities. For Google Cloud Security, listen to our podcast on the topic and further Google guidance.
2. Conduct creative ‘stress’ tabletop exercises. Tabletop exercises (TTXs) should be used to prepare an entire organization to respond to a cyberattack, including leadership and technical response teams, and non-technical responders such as public relations, internal and external communications, legal, third-parties, and clinical teams. TTX outcomes can highlight an organization's vulnerabilities and risks before a real cyberattack harms patients. Well-planned TTXs also reveal a data-driven approach to prioritizing which risks to address first and how rapidly to do so.
For those reasons, TTXs need to be scheduled regularly (we recommend at least semi-annually,) incorporate increasingly stressful scenarios based on real-world cyberattacks from the past, and assess capabilities to prevent, detect, and evict threat actors. Make sure to assess the organization’s ability to sustain care delivery and coordinate operations when events do unfold, specifically:
Critical acute care functions, like emergency rooms, operating rooms, and biomedical equipment and systems;
Outpatient and ambulatory services, areas often ignored by these exercises since they tend to not be ‘emergency operations’ within an integrated health system;
Working with key suppliers to develop and deliver treatments, goods, and critical services.
For organizations manufacturing treatment, ability to manufacture and deliver critical treatments without compromising quality for speed.
Organizations should use TTXs to assess an entire organization's response capability. TTXs should ideally assess response capabilities from different levels and with different audiences. The TTX conducted for a leadership team might not go deep enough for an incident response team. Ensuring that all teams in an organization experience an appropriate TTX can be tricky, so be sure to vary the nature, timing, and extent of the TTX exercises.
Biotech and life sciences organizations should use TTXs to explore scenarios where there are severe limits on the availability of raw materials, specialized testing equipment, technology supplies, and even protective clothing. An outage in a system that does nothing more than order and manage the supply of scrubs or test results can bring care operations to a hard stop.
TTXs are opportunities for organizations to learn about their actual resilience posture and spark institutional motivation to improve their response plans and abilities. That’s most likely to occur when in-depth post-mortem analyses are used to ensure teams benefit from tabletop exercises.
Leverage CISA’s tabletop exercise packages if you need ideas on conducting tabletop exercises. Learn from Google’s site reliability engineering (SRE) guidance doing post-mortem exercises.
3. Establish ‘antifragile’ mechanisms. An antifragile mechanism exposes an organization to shock and disorder in order to learn from failures and rapidly improve so the system is better protected from future threats.
One antifragile mechanism in cybersecurity is called purple teaming, a collaborative exercise conducted between defenders and attackers. They pair up to understand how attacks and defenses work through ‘live fire’ exercises with an audience of observers and occasional breaks to share information. Realism is a key component of purple teaming, and participants can take on different personas and use different tools to more closely simulate actual threats.
Although it is not necessarily an explicit assessment mechanism, another example is autonomic security operations which identifies threats using advanced data analytics and takes automatic action. By automatically analyzing activity data that systems may already be generating in the form of logs or network packet capture, autonomic security operations learn good from bad and apply prevention measures when they encounter threats. Autonomic systems are constantly learning and implementing fixes quickly and often, without human intervention.
Antifragile mechanisms can be adopted immediately to help security leaders hunt and eliminate threats to digital resilience. Read Google Cloud’s whitepaper on autonomic security operations here.
From providers to payers, biotechnology firms to life sciences companies, the security and resilience of these organizations keep our loved ones, and entire societies, able to deliver life-saving and life-preserving care everyone needs.
While there may be more and different ways to drive resilient practices that parallel concepts found in ‘exposure therapy,’ we believe what is most critical is that organizations take the time to build and operate mechanisms that improve their awareness of their critical assets, of their vulnerabilities, and of how prepared they are to defend against threats to their operational resilience.