And a Happier New Year!
“Yes, Clarence. A healthcare provider down on Earth needs our help.”
“Splendid! Are they sick?”
“No, worse. They’re discouraged. At exactly 10:45 p.m. tonight, Earth time, that provider will be thinking seriously about where their data went.”
Each year, our family eagerly looks forward to 2 classic holiday films: It’s a Wonderful Life and A Christmas Carol.
One reason we connect with those films – besides the great storytelling and the joy of Christmas – is that we’re reminded that transformation is always possible – even in the darkest times.
Light obliterating darkness: the people walking in darkness have seen a great light.
I also find the films fascinating because both employ a kind of “exposure therapy” for the lead character. (Exposure therapy is a technique used by trained clinicians to gradually expose a patient to a feared stimulus or situation that creates stress, to help them learn to manage it).
Why do I mention this? You might be surprised (as I was) to learn that Google also suggests the “exposure therapy” idea, as an analogy for how organizations can improve their cybersecurity posture – but more on that in a moment.
Notice how both Scrooge and George Bailey are necessarily – yet unwillingly – exposed to the underlying false narratives they’re believing and therefore operating on:
- for Scrooge, it’s the lie that he can find true solace in his “golden idol” and in controlling others;
- for George Bailey, it’s the lie that his life isn’t a precious gift and that the world would be better off without him.
So with the help of the spirits, Scrooge finally faces his story – the pain in his past and present, and the prospect of a dismal future; for George Bailey, it’s Clarence the “Angel-2nd class” who shows him the ways he was used for good in his past, and how a future without him would be far worse.
So why would Google take this idea of “exposure therapy” to reveal and transform healthcare’s story?
Here’s their answer:
“Concepts taken from this approach can be applied in ways that can help an organization improve its cybersecurity posture, too… The best way to put an end to these persistent threats and preserve patient care and safety is to improve the resilience of healthcare organizations’ IT systems so that they can overcome these attacks.”
Like a person struggling to change how they respond to negative stimuli, Google says that organizations will only get stronger – more resilient – if they actually face the kind of attacks that threaten them:
“By simulating cybersecurity threats and resulting operational impacts regularly, security leaders can help their organizations get better at identifying, managing, and eventually eliminating entire categories of threats to their organization.” But how is this to be done? Just as Scrooge was visited by three spirits – each with a vivid picture of pain and hope – we offer 3 cybersecurity strategies to help you achieve resilience and HIPAA compliance:
1. Acknowledge the false narrative(s) prevalent in healthcare cybersecurity
We don’t naturally choose to face unpleasant situations; like Scrooge, we act as if they’re a “humbug.”
We like to believe that everything will go on as it has, and we’ll be just fine; that a ghost in chains disguised as a ransomware attack won’t knock on our door.
Wake-up calls presume that we’re currently “asleep,” right?
Maybe one false narrative for healthcare would be: “We have enough protection. Besides, we don’t really need to be deeply concerned about cybersecurity issues anyway, since it’s not really our focus.”
So why would “exposure” (not of data, but of a false reality!) be necessary then for healthcare?
Because you can’t prevent (or change) what you won’t face, or admit to be true.
And ironically, healthcare knows this!
For example, when a deadly virus affects the population, (most) doctors don’t say “everything will be fine. It’s just a cold.”
No, they study transmission. How does the virus infiltrate? How contagious is it, and how do we need to protect ourselves and our patients?
The answers are highly valued (by most) because they impact life and death; i.e., real people. So – as we all know – health specialists go to work on an effective vaccine, advise wearing masks in public and the washing of hands, etc., etc.
Now, why wouldn’t the same priority be shown in the case of a potentially deadly bit of malicious software – especially since the AMA now recognizes cybersecurity as a vital patient-care issue?
Must we simply resort to haphazard “triage,” and mitigation after the fact? Emergency measures, when our systems are locked up, data is stolen, and recovery is in doubt? (and likely, hugely expensive!)
Why not plan for the worst instead – such as a full-blown attack that compromises systems and delays patient care – and have steps already in place for damage control and resuming services?
2. Study the Threat, Prioritize Resilience
Resilience is defined as “the capacity to withstand or to recover quickly from difficulties; toughness.”
A true test of cyber resilience, therefore, is an organization’s ability to recover and resume operations quickly, should a cyberattack occur.
As Google puts it,
“Since cybersecurity threats are always evolving, organizations need to develop an ever-maturing security posture that helps maintain resilience to new threats. A key part of this is adopting basic security controls and improving them over time. These practices are an essential starting point that healthcare organizations of any size or level of technical sophistication can begin implementing today.” (emphasis added)
So how are the right controls and practices chosen? The answer lies in correct identification of the threats, with a proven threat (and security) specialist:
“By simulating cybersecurity threats and resulting operational impacts regularly…”
One way to approach this would be to implement regular threat modeling.
“Begin by asking, “What could go wrong and how can we stop it? How can we keep going even if something goes wrong?” The Software Engineering Institute (SEI) has compiled a list of excellent resources to consider when conducting threat modeling activities.”
Penetration tests and purple teaming (where teams of “defenders” and “attackers” collaborate) are also ways to test systems, through simulated attacks.
Finally, it’s critical to have a contingency plan to follow in the event of something like a ransomware attack, so that mitigation steps are orderly and proactive and damage is kept to a minimum.
Google offers some general organizational tools in this guide, Shrinking the time to mitigate production incidents, and the Healthcare and Public Health Sector offers this guide for maintaining Operational Continuity in the event of a cyber incident.
3. Prioritize Zero-Trust
As noted by the HHS Cybersecurity Program,
Given the interconnected nature of the future… it is clear that the current perimeter-based security model that most healthcare organizations use will no longer be effective. To stay ahead of these trends, healthcare organizations must continue to invest in the basics while making a fundamental shift from the castle-and-moat approach to a Zero Trust model.
The phrase “Zero-Trust,” first coined by Forrester Researcher John Kindervag in 2010, was a breakthrough in the consideration of risk surrounding network and data security.
Kindervag’s idea of “never trust, always verify” was based on the idea that the classic “castle-and-moat mentality” of network perimeter security (i.e., firewalls, and other network-based tools) was no longer sufficient to protect an organization since it failed to address the risks that might come from “inside the castle.”
(This shift away from traditional, on-premise infrastructure security has become even more critical with the prevalence of remote workers).
So what are some keys to implementing a Zero-Trust approach in healthcare?
First, think ahead: If you’re anticipating a digital transformation to the cloud, designing Zero Trust into the system from the start is wise, as opposed to attempting a “retrofit” of systems later on. Getting buy-in from every level of the enterprise – from CIO and CISO on down – will be key.
A strong policy of least access to sensitive networks and data is also a hallmark of Zero Trust. This is especially critical with HIPAA compliance in view, but the approach should even be more granular than this.
Essentially, Zero Trust puts a priority on identifying the user. As Bill Mann, senior vice president at Centrify Corp puts it: “Let’s really make sure this is Bill [for example], and let’s make sure we understand what endpoint Bill is coming from – is it a known secure endpoint and what is the security status of that endpoint? And now let’s have a conditional policy, a policy [specifying] someone can have access to something.”
Some important technologies and methodologies that will aid this “inside to out” approach to Zero Trust security will include:
- micro/network segmentation for granular policy application
- endpoint hardware type and function (device health)
- firmware versions
- OS versions and patch management
- multi-factor authentication and identity access management (IAM)
- incident detections: suspicious activity and attack recognition
- secure email
- password management
- file system permissions, and more.
In terms of implementation for healthcare, the following practical steps offered by Jonathan Langer present a helpful starting place:
1. “Get complete visibility into all connected medical, IoMT, and IoT devices in your environment. By complete, I mean detailed, down to the make, model, serially attached components, embedded software, protocols, etc. that are part of that device.
2. Get buy-in from all relevant stakeholders. It is going to take input from IT, security, Biomed, and clinical engineering teams. Make sure that everyone is aware and on board with the objectives.
3. Find solutions that can automate as much as possible. As noted, there are a lot of moving pieces and parts, so finding solutions that understand at a granular level what these devices are and how they should be operating within the clinical network is key to being able to automate the ongoing discovery and enforcement you will need to sustain Zero Trust.”
The New Normal for Healthcare
It may be that many of the above technologies and approaches are already present in healthcare organizations now operating with cloud-based environments and services. If so, a continual assessment of people and user groups, identity, and authentication of devices should be happening. This should be undertaken with an end-view toward the core needs of patients and caregivers.
This is the “new normal” for 2023 – and the future of healthcare.
It will come as a relief to our clients to know that HIPAA Vault’s “3 visitors” for transforming healthcare cybersecurity – acknowledging the threat, prioritizing resilience, and a Zero Trust approach to security – are present in all of our HIPAA-compliant solutions.
From our secure hosting to compliant WordPress and email, we design-in features like access and identity controls and two-factor authentication.
Of course, we also employ end-to-end encryption, intrusion detection, antivirus, scanning and blocking, regular backups, disaster recovery, and 24/7 personal, dedicated support to our multi-layered approach designed to transform your healthcare cybersecurity.
So with that said, let’s welcome the “exposure” we all need to grow, and as a result, may you all have a happier and healthier new year!