3 tips to prep for large-scale cyberattack
However unlikely a large-scale cyber attack might seem to most CIOs and CISOs, hospitals should be preparing for one nonetheless.
That's the contention put forth by Richard Clarke, who served as cybersecurity czar to three U.S. Presidents and is now a security consultant and author slated to deliver the opening keynote at the HIMSS and Healthcare IT News Privacy and Security Forum in Boston in early December.
The sort of outlier events that Clarke refers to include attacks on American infrastructure, electrical grids, nuclear plants and, on a smaller but still threatening scale, hospital databases and medical devices.
"Cybersecurity is all about risk management and it needs to be perceived through the filter of a risk management focus," Clarke told Healthcare IT News. "The real way to think about risk management is to include in your calculus the outlier event."
Clarke offered three tips to hospital executives to prepare for a large-scale cyberattack, whether it's pointed directly at them or a regional attack that could impact them:
1. Focus on generators and fuel. This involves determining where to place a generator, where to store your oil and gas, and ensuring that you can get more oil and gas after the first 24 hours. When the tsunami hit Fukishima and sent water over the sea walls engulfing the generators, which were at sea-level, there was no way to cool the nuclear cores and that triggered a meltdown. On Sept. 11, in the World Trade Center 7 tower, the generator was on the 10th floor but the fuel was, too. So when shards fell from towers 1 and 2, they ignited 7. "People are constantly putting generators in the wrong place," Clarke said. Of course, the ideal location will vary from one site to the next, making the task complex.
2. Lock down medical devices. In day-to-day operations, hospitals must make sure that medical devices are air-gapped and on a network that is disconnected from any network that could be connected to the Internet. "We find over and over again that people think a network is air-gapped when it's not," Clarke explained. "You really have to work at that because if you're on a life-sustaining device, you don't want that device to be addressable, even if it involves two hops to get there."
3. Protect the privacy of patients and employees. "Most hospitals have a rich database of information that is of value to somebody, and we know that because people are constantly trying to harvest it," Clarke said. Indeed, hospital executives and security specialists know that medical data theft is happening even if they don't understand the full extent. And there's worse: Although we've not seen it very often yet, beyond merely stealing data lies the threat of destroying PHI, PII, intellectual property. "We know it's possible and it could happen in healthcare," Clarke said. "If it's possible that something could happen, then it might. And the destruction of medical information or equipment is possible, and therefore it might happen, and therefore it needs to be on the risk register."
Clarke's keynote, titled Cybersecurity 2015: From Theft to Destruction, is scheduled for Tuesday Dec. 1 at 9:05 a.m.
The Healthcare IT News Privacy and Security Forum runs from Dec. 1-Dec. 3 at the Westin Boston Waterfront. Register here.