S4x23 Review Part 3: Healthcare Cybersecurity Sessions
This article focuses on the healthcare sector. Over the past two years, the healthcare sector has been in a constant state of emergency due to the COVID-19 pandemic, and as widely reported in the media, it has also been threatened by cyberattacks such as ransomware.
In this third report on S4x23 held last February, this article focuses on the healthcare sector. Over the past two years, the healthcare sector has been in a constant state of emergency due to the COVID-19 pandemic, and as widely reported in the media, it has also been threatened by cyberattacks such as ransomware. I highlight two sessions that discuss the lessons learnt from experiencing such critical situations to promote risk management and cybersecurity.
What Is A Critical Service? A Hierarchy Of Needs:
Munish Walther-Puri, Exiger, Sr. Director
Munish had a front row seat to critical infrastructure security and incident response as the Director of Cyber Risk for New York City's Cyber Command. Based on this experience Munish proposed a framework for defining a threshold that would be met if an incident directly affected critical services had an operational impact and/or occurred simultaneously in multiple sectors.
He said that individuals experienced the issues locally. The pandemic suddenly forced us to reconsider the meaning of prioritisation. According to Maslow's hierarchy of needs, the lowest level is physiological needs, followed by safety needs. We needed to prioritise services by determine what would have lasting impacts and their importance. For example, a power or gasoline supply outage would have an immediate impact, but garbage collection would not as urgent.
In planning for service outages in New York City, we faced four challenges.
- Definitions of critical infrastructure: the sectors targeted differ in the US, Canada, and Australia.
- Services do not operate solely within one sector: even if sectors are defined in the nation-level, local service provision cannot be separated.
- Services are classified into 55 critical functions,but assumptions about relative importance are necessary for consensus on importance. 4) Cascade failure: sector-based approaches overlook issues of interdependence.
To allocate resources, he focused on services rather than sectors. He then defined thresholds to hierarchise importance. These were whether it directly affects critical services and whether it affects multiple sectors. He created three levels for truly critical service delivery:
- Life safety: emergency, law enforcement, public health, sanitation, water
- Duty of care and Community: education, elections, healthcare, shelters, corrections
- Processing and management: tax collection, fees & payments, payroll, permits.
By ensuring these services, public safety and emergency services, public health and welfare, community services, financial stability and economic health can be protected. In addition, he defined telecom, data, power, and cargo as high criticality in securing these interdependencies.
The framework he presented is just a case in New York City, an example of service governance in a high population density environment of big city. He stated that cyber defence priorities and mutual assistance and support are essential to allocate resources properly.
Consequences & Lessons from the CISA COVID Task Force:
Josh Corman, I am the Cavalry, Founder
Joshua Corman is the founder of I Am the Cavalry, a grassroots organisation focused on the intersection of digital security, public safety, and human life. He previously served as chief strategist of the Cybersecurity and Infrastructure Security Agency (CISA)’s COVID Task Force, where he advised on CISA’s integrated industry engagement efforts supporting the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported the agency’s control systems and life safety initiatives.
He shared some stories and lessons learnt from his experiences of the COVID Taskforce.
COVID Task Force
In 2017, before the pandemic, he was involved in providing a report to improve cybersecurity in the healthcare industry as a member of the Healthcare Cybersecurity Task Force.
The report raised concerns that the healthcare industry was in the critical condition, suggesting severe lack of security talent, legacy equipment, premature/over-connectivity, vulnerabilities impacting patient care, and an epidemic of known vulnerabilities. He later worked on initiatives to protect medical care during the pandemic as the CISA's COVID Task Force.
One example of their projects was to protect the vaccine supply chain.
First, they analysed the vaccine supply chain. The 7 candidate vaccines were supported by 23 actors, and they were linked with 4000 suppliers. They prioritised the suppliers based on their impact, dependency, availability of alternatives, and supply shortages, resulting in 66 suppliers to protect. Next, they identified risks to be addressed for the Operation Warp Speed, a US government initiative to accelerate the development, manufacturing, and distribution of the COVID vaccine.
The risks included:
- espionage for development and testing,
- disruption of mass production,
- physical barriers during distribution, and
- mis/dis/mal information of vaccine uptake. One specific case was the distribution of vaccines that needed to be refrigerated.
The problem was a shortage of dry ice and limitation on air transportation. Based on their supply chain analysis, they decided to use resources from cheese distribution to keep dry ice and switch to ground transportation.
Capacity of healthcare delivery
Carrying capacity in health delivery organisations means their capacity to accommodate and process healthcare services. It is supported by three elements: space, supplies, and staff.
During the pandemic, these three elements affected each other, resulting in a total decrease of capacity.
First, the increase in demand for medical care caused a shortage of commodities, leading to delays and a decline in medical care. Second, the shortage of commodities such as personal protective equipment (PPE) increased the exposure of healthcare workers to the virus, resulting in a temporary shortage of staff. Third, the increase in demand for medical care led to prolonged exposure time for healthcare workers, resulting in their infection and absence from work, leading to a decline in treatment.
This had a cascading impact on hospitals in rural areas adjacent to urban areas, endangering the lives of people in the entire region. The rising death toll in the areas where COVID cases were high was not limited to solely people who died from COVID; more people were also dying from other causes than what would be expected. The technical term for this is excess deaths. Excess death data from 2020 captured large increases in deaths from causes other than COVID, including Alzheimer disease, diabetes, heart diseases, and cerebrovascular diseases.
Medical technology supports the three elements, space, supplies, staff of healthcare services that save people's lives. Ransomware attacks the technologies and disrupts the three elements. It causes a decrease in the capacity of staff especially, which endangers people's lives. In fact, in 2019, a baby was born with complications and died in Alabama because a clinical physician could not access electronic medical records and patient monitoring systems due to Ransomware attacks. We should never happen it again.
As a statistical analysis by the task force shows a capacity leads to excess deaths. Cyber attacks have short-term and long-term effects on medical care capacity even if it would threaten patient safety directly. Disruption to emergency services, and patient portal access (including viewing medical records, test results, and making appointments). Long-term downstream effects include surgery and cancer treatment cancellations or delays, closure of COVID testing sites, inability to submit radiographic images, and loss of communication with other hospitals. As a result, they need to transfer critical patients to far places, use paper-based records, and suspend high-risk patient care temporarily.
Cyber attacks disrupt medical systems' ability to access electronic health records (EHR) and perform procedures that require detailed information, such as cardiac technology. This greatly reduces the capacity and leads to situations where new patients cannot be accepted. Transferring critically ill patients requires longer than usual, reducing the bed capacity and lowers bed occupancy rates.
He suggested that people will die without the collaboration of multiple agencies. On a value chain of critical services across multiple sectors, single disruptions have a cascading impact overall. To stratify critical infrastructure, we need to classify the services for life safety as latency-intolerant, latency-sensitive, or latency-insensitive longer than usual, requiring new cross-sectoral constructs.
I think that current medical services are maintained by various technologies, and hospitals themselves need to gain their resilience to cyber threats in the value chain across multiple sectors. Trend Micro evangelist discussed the ransomware landscape, cybersecurity challenges within hospitals, and cybersecurity strategy to protect patients’ health information and critical operations in on-demand webinar. Please refer to here.
In the next forth post, I will report on the discussion about Industrial IoT in manufacturing.
- I Am The Cavalry
- Health Care Industry Cybersecurity Task Force
- CISA COVID Task Force: “Provide Medical Care is in Critical Condition” December 2021
- Operation Warp Speed
- Impact of Hospital Strain on Excess Deaths During the COVID-19 Pandemic — United States, July 2020–July 2021
- Provide Medical Care is in Critical Condition: Analysis and Stakeholder Decision Support to Minimise Further Harm
- Lawsuit: Hospital's Ransomware Attack Led to Baby's Death