How to prepare for cyberattacks that strike during a public health crisis

Whether because of a nefarious manmade or natural disaster, hospital IT shops often find themselves strapped during a crisis. The government and private sector have already developed considerable resources to help. Here’s a look at those.
By Nitin Natarajan
10:59 AM
Share

When large-scale cyberattacks happen, information security professionals should not just be looking at those incidents separate from non-cyber incidents because the next generation of attacks will coordinate the two.

Public health crises, whether naturally occurring or the result of an attack, provide a ripe environment for cyber exploitation. Bad actors want to steal personally identifiable information, financial or emergency response data and the potential opportunities increase significantly during disasters.

[Register Now: Upcoming HIMSS Healthcare Security Forum]

Know this: During a large-scale incident hospitals’ IT capabilities may need to be rapidly surged to handle volunteers and new staff, particularly those unfamiliar with your organization’s IT security operations.

We must ensure that the individuals on the front lines of our cyber defense efforts are also engaged and maintain a heightened sense of awareness during these emergencies.

Already available resources

Bioterrorism is not new to the United States. Whether it was the salmonella release in Oregon in 1984 or the failed attempts to poison the Chicago water supply in the 1970s, we have seen and will most likely continue to see these types of incidents on U.S. soil. And in the last few years, there have been a number of global public health emergencies like the influenza pandemic, Zika virus and Ebola outbreak.

The U.S.’s history of preparing for bioterrorism, not to mention the billions of government and taxpayer dollars spent, have created resources and strategies that hospitals should keep pace with and have access to during the next crisis.

The first step is to update your existing public health emergency plans to include a cyber element. These plans need to be exercised and corrective actions from those exercises should revise those policies. Similarly, cyber plans must be assessed to take into account public health emergencies.

Additional scrutiny should also be paid to potential breaches and attacks during times of heightened operations. Essentially, work already occurring in your organization in two independent spheres must be brought closer together and integrated during the steady state to successfully collaborate during emergencies.

Look to government resources

While these steps sound easy, they’ll require the support, and at times, direction from the most senior levels of your organization. Individuals responsible for looking at enterprise risk and mitigation must be willing to accept this new reality and prepare for what will happen in the future.

Federal, state, local, tribal and territorial governments and the private sector have established global biosurveillance capabilities, enhanced domestic laboratory capabilities and capacity, prepared our healthcare infrastructure for surges in patients, established stockpiles of medical countermeasures and countless other activities over the last two decades. We’ve conducted thousands of exercises of all shapes and sizes and continue to maintain capability and capacity in times of dwindling resources. Some examples within these categories include:

Biosurveillance • Centers for Disease Control (CDC) National Syndromic Surveillance Program/BioSense Platform • Department of Defense Global Emerging Infections Surveillance and Response System • Department of Homeland Security National Biosurveillance Integration Center  

Laboratory Capabilities/Capacities

  • CDC Laboratory Response Network
  • State/local chemical and biological laboratory capability/capacity  

Medical Countermeasure stockpiles

  • CDC Strategic National Stockpile
  • CDC Chempack Program
  • State/local/hospital stockpiles of medical countermeasures to biological and chemical agents  

The exercises conducted have yielded many lessons learned. Hospitals have tested and exercised their ability to respond to a variety of situations including contaminated patients, natural disasters, power outages, active shooter events, and mass casualty events. The lessons learned from these events allowed them to revise their emergency plans to be stronger and better prepared for real-world events.

Not just patient data

In parallel with developing the aforementioned emergency resources, the healthcare industry has seen significant investments in IT infrastructure and security. As technology continues to evolve at a record pace, the threat of cyberattacks grow as well. Both insider and external threats seem to be constantly evolving and becoming more complex and coordinated. We’ve already seen the synthesis of coordinated cyber and ground attacks in military operations.

There have been attacks against the healthcare and public health sector for many years and as recently as May with the WannaCry ransomware attacks.

During a public health emergency, individuals might attempt to nefariously access other information. For example, hackers may want information on the location, quantity or shipping routes for medical countermeasures, if they feel they don’t have access to appropriate care. Foreign entities may be interested in developing a deeper understanding of available U.S. resources, while others might verify whether the data we’re sharing with partner nations matches what public systems are reporting. This type of international interest is also directed at state and local governments, which are perceived as having the same type of data — but on more vulnerable and potentially easier to access networks.

We will see naturally occurring and manmade biological events again. The best way to prepare for this next generation of attacks is to force these two worlds to collide. Only together, can we build and maintain a system to tackle this new frontier of challenges that are just out on the horizon.

Nitin Natarajan is a principal at Cadmus, a business management consulting firm in Washington, DC. Natarajan has more than 20 years of experience leading homeland security, emergency response, healthcare and public health and environmental initiatives at the Environmental Protection Agency, the National Security Council, the Department of Health and Human Services and local government.