Over the past two decades alone, our planet has experienced different outbreaks and pandemics ranging from SARS, to Swine Flu, and now COVID-19. Protecting us at the frontline and beyond is the entire healthcare industry. Across the world, governments are gradually opening up their country’s borders.
The stark reality behind some of these decisions is the need to recover their national economies caused by the worldwide trend of national lockdowns in response to the COVID-19 pandemicworldwide trend of national lockdowns in response to the COVID-19 pandemic. As an international security professional and enthusiast, I am concerned about the ramifications on the healthcare industry.
How should companies in the healthcare industry prepare for the future? Your resources and skills will undoubtedly be critical in controlling the COVID-19 pandemic at hand.
You wouldn’t cheat the doctors, researchers, and frontline workers of the most accurate and recent data — not unless you’re a hacker belonging to a despicable incentive system.hacker belonging to a despicable incentive system.
Historically Targeted
The Global Industry Classification Standard and the Industry Classification Benchmark distinguishes the healthcare industry into two core groups of (i) Healthcare Equipment and Services (ie. Hospitals and Clinics) and (ii) Pharmaceuticals, Biotechnologies, and related life sciences (ie. Masks and Vaccines). On the whole, the industry itself has been historically targeted due to its function as an essential service for people’s safety, well-being, and health.
Hospitals, Research Facilities, and clinics all hold uniquely sensitive assets. These range from patient health data, clinical test results to cutting-edge vaccines, or genomic research. This exposes them to attackers with a broad range of motivations from selling data on the black market to getting ahead of the market through corporate espionage. Some notable incidents are the WannaCry Ransomware attackWannaCry Ransomware attack on British Hospitals a few years back, and the SingHealth Data Breach in Singapore last year.
Fast forward to the present, an article published on BleepingComputer, purported that ransomware gangs had announced their intention to pause attacks on organizations in healthcare — given their importance in fighting the pandemic. Whilst this may have sounded like a ceasefire, it was short-lived when the Ryuk and Snake RansomwareRansomware were continued to be deployed against hospitals during the height of the pandemic.
As countries ramp up business activity and start the return to normalcy, companies in the healthcare industry will be pressed to adjust to this increased demand, in the form of tools, services, and knowledge to combat the spread of COVID-19. What this means for attackers is that there will be a surge in the circulation of sensitive information, financial transactions, communication chains, and valuable assets.
Remember, if the fortress is well protected, attackers target the convey in transit.
Strategic and Operational Solutions
In preparation, companies working in the healthcare industry should be adjusting the allocation of financial resources to empower frontline leaders and the secure management of operational procedures.
Frontline Leadership
On the strategic level, executive stakeholders should consider reviewing current strategies and policies related to the company’s cybersecurity posturereviewing current strategies and policies related to the company’s cybersecurity posture. Some notable mentions include how data is protected, accessed, managed, and circulated across the organization. As someone in leadership, you should be aware of the information lifecycle across your organization. In addition, as an executive leadership community, you should be planning for an inevitable breach of security.
During a time of crisis and uncertainty, employees look to their leaders for guidance. For security solutions to be effective, executive stakeholders and their extended management teams must lead by example from the frontline. Consider adjusting financial resources to provide staff opportunities for them to upskill themselves. For businesses operating in Singapore, this comes timely with the announcement of the fourth round of economic stimuli and the expansion of training options for employees to upgrade their skills.
As an executive leader, you need to understand that no security solution is 100% effective. Security is a continuous process of preparing for the worst-case scenario regardless of its frequency. To be effective, this requires a balance between maintaining business continuity, efficiency, and security decisions that must come from the top. The U.S. Health and Human Services (HHS), for instance, made sure to put in place extra protective security measures, such that when a Distributed Denial-of-Service (DDoS) attackDistributed Denial-of-Service (DDoS) attack hit the department in March 2020, the team was well-prepared to mitigate the damage of the malicious activity.
For more information on cybersecurity processes related to the healthcare industry, companies can consider exploring the United States Health Insurance Portability and Accountability Act (HIPAA) and HIPAA-TECH standards as starting pointsUnited States Health Insurance Portability and Accountability Act (HIPAA) and HIPAA-TECH standards as starting points for more information. But be aware that all countries have their respective standards and requirements, thus please communicate with your national authorities for more specific information.
Operational Management
The key to operational security success is to be proactive and collaborative in the defense of your company’s IT network.
Teamwork is Key
Security is not, and should never be, the sole responsibility of ONE dedicated team. Responsibilities should be distinguished and properly distributed across the company. Compliance should be monitored by a dedicated legal and compliance team. Human security elements such as background checks should be executed by Human Resources teams.
Aside from providing operational support, companies should also exchange information and help security teams identify business-critical operations, assets, and data that flow throughout the organization. A simple way to do this is through the execution of Data Discovery Exercises and Business Impact Analyses.
If hit by ransomware, like what German medical group Fresenius experienced in May 2020, all teams in the organization should know the appropriate response to quickly isolate infected endpoints and reduce the risk of further infectionappropriate response to quickly isolate infected endpoints and reduce the risk of further infection. Attackers want to cripple hospitals and medical services by denying access to vital files and systems, but a united and educated team can contain the damage.
Putting Plans in Motion
Dialing down into the operational level, managers should consider determining the security of all portable devices connected to their network. This can be done on specific technologies through penetration tests and vulnerability assessmentspenetration tests and vulnerability assessments. For companies that may possess a larger operational and physical footprint, full-scale Red Team exercises can be conducted.
If budget is a problem, companies can still proactively protect their technical assets through regularly updating all software and hardware with the proper security patchesregularly updating all software and hardware with the proper security patches. Operationally, security teams can implement proactive plans for software updates on all applicable systems, including desktop, mobile, and IoT devices. Updated anti-virus software can help identify potential issues, but even those have to be updated regularly to ensure they are operating with the most recent threat indicators. It is also key to ensure that staff cannot install software on their own before receiving approval. This can be spearheaded with respective security policies (ie. Acceptable Use), and further operationalized with technical controls onboard company laptops.
For companies operating on the cloud, is access to information properly regulated and controlled based on the principle of Least Privilege? Are you aware of the configuration of your company’s cloud network architectureconfiguration of your company’s cloud network architecture according to best practices and deployment standards? Are you using the right tools to help you manage your cloud network?
The Bigger Picture
Companies in the medical industry may be working with multiple other tools and services to help. This can range from the Business Process Outsourcing to the provision of tools for specific operational purposes (ie. DNA Synthesizers and Analyzers). When companies embark on their respective cybersecurity journeys, the focus is usually on themselves and the impacts of a breach on them as an organization. Whilst it is easy to focus internally, it is sometimes important to look at the bigger picture.
Are you securing your company for the sake of compliance? Are you securing your company to appease stakeholders? Are you securing your company to reduce potential costs from lawsuits and fines? When operating in the medical industry — whether Healthcare Equipment and Services and Pharmaceuticals, Biotechnologies, and related life sciences — you are part of a larger medical community of doctors and providers on the frontline, and you owe it to the people you’re serving to ensure the protection and integrity of data.
You wouldn’t lie to your doctor. So do your part and make sure your team has the data they need to save lives, and possibly, our future.
