Resilient Security: How to Prevent Cloud Data Breaches in 2023
By Gil Vidals, , HIPAA Blog, HIPAA Hosting, Resources, Security

“Whatever doesn’t kill you makes you stronger.” 

Actually, the famous Nietzsche quote is: “Aus der Kriegsschule des Lebens.—Was mich nicht umbringt, macht mich stärker” (how’s your German?) which translates to:

 “Out of life’s school of war—what doesn’t kill me, makes me stronger.”

A “school of war”? Warfare as an “instructor?”  

Indeed. Perhaps Mr. Nietzsche wouldn’t mind if we tacked on “more resilient” as well.

Here’s why:

While resilience is defined as a capacity to withstand or “bounce back” from some hardship or assault, we know there’s more involved.

Landing precisely back where you started is never really the outcome, is it? Not when you’ve met with any kind of suffering or hardship that rocks your boat.  

For example, it’s a mistake in the face of trauma to say things like “children are resilient – they’ll be fine.” We’re always changed in some way – for good or ill. 

Truly “more resilient” can mean stronger (if we’ve grown and worked through the difficulty), purged of some element of dross – more refined. We’ll carry the scars, but will end up sharpened, more insightful. Maybe we’ll even have greater compassion and insight to help others.

May it be so for all of us in this new year!

What about Security?

Now let’s apply this to healthcare – which is a helping industry, after all.

There’s a strong reason that 96% of executives are saying that resilience – particularly in terms of organizational security – is now top of mind. 

This almost unanimous conclusion tells us that resilience is more than just the latest buzzword – it carries real freight. Why?

1. One likely reason is that nearly ⅔ of organizations (62%) have actually experienced major security incidents that jeopardized business operations within the last two years. 

Network/data breaches and network/system outages impacted 51% of those surveyed. Ransomware and distributed denial-of-service ran a close second at 46%. 

So it makes sense that these organizations would want to take preventive action (41% named prevention as the top “security resilience outcome”). No CIO or Sys Admin wants a breach on their watch, after all. 

If you’ve been burned, more effective security is logical. Why stay with what didn’t do the job previously? (Though some will).

2. But a second reason has to do with not just “surviving” after a devastating cloud data breach – one which compromises your patient’s privacy and nearly cripples your organization – but actually thriving. 

This is where the resilience aspect comes in. As the Cisco Security report puts it, it’s about protecting the “integrity of every aspect of your business so it can withstand, not just survive, unpredictable threats or changes and emerge stronger.” 

“Whatever doesn’t kill you makes you more resilient…” can be true, but you must let it – from a primary motivation of patient and organizational care. And yet, there’s even more to it.  

We’ve seen that learning to identify the enemy’s strategy is part of the school of war, forcing me to confront myself (or my organization) as well. Even the classic The Art of War by Sun Tzu urges such knowledge:

“It is said that if you know your enemies and know yourself, you need not fear the result of a hundred battles…”

But how do we “know” our enemy?

How to Prevent Cloud Data Breaches

In our last post, we looked at the fascinating idea of “exposure therapy” (a psychological approach that Google suggested for healthcare) to promote resilience in the face of malicious attacks.

The idea is that simulating cybersecurity threats regularly will sharpen you. Having to face the threat helps you to better identify it, and ultimately, eliminate it as a potential infection in your system. 

It’s true in trauma, and in cybersecurity. So why is the identification part such a critical precursor to mitigation?

Because it’s hard to become resilient to what you can’t even explain, or aren’t committed to looking for.

So what are the success factors for resilience? 

 “Victorious warriors win first and then go to war, while defeated warriors go to war first and then seek to win.” – Sun Tzu

The above quote insightfully reminds us that victory starts at home – in the mindset and preparation that precedes the battle.

In this light, we could talk about numerous topics, like endpoint and email protection, phishing training, and more. HIPAA Vault can help with such solutions.

Before you can get there, though, security-resilient healthcare organizations need two things: executive support, and a growing security culture.

1.  Securing Executive Support (and Openness) 

It can be demonstrated that those organizations – large or small – that are successfully “security resilient” are those that have “top-down” support. 

For healthcare, that starts with the recognition that patient outcomes are generally worse after a debilitating cyberattack. That means, executives who wish to prioritize patient safety and care will also prioritize security, and support the goal of not just surviving, but thriving.

But in a recent survey of healthcare cybersecurity professionals, roughly 1 in 4 (24%) said their budgets did not have a specific allocation in their budgets for cybersecurity, while 1 in 5 respondents (21%) reported disruptions of services affecting clinical care.

Executives might be tight-lipped about cybersecurity matters because of liability, but as Christian Dameff, an emergency physician and assistant professor of emergency medicine at the University of California San Diego points out, the conversation needs to shift to patient safety:

“When a cyberattack happens, most hospitals don’t want to talk about it. I’d love to change that dynamic… I would love for more open communication about this topic with leaders,” Dameff said. “We can be learning from each other’s experiences, learning about what went wrong at other institutions.”

Never pass up a good crisis, as someone said, from which to learn and turn into a teachable moment that will help others – even other organizations in your community.

Think about how the ripples of a cyberattack on one hospital in your region may impact nearby healthcare providers as well. Ambulances may be diverted to another facility, causing that hospital to be overwhelmed beyond capacity. As Dameff notes, “The effects could be seen in an entire region.”

2. A Growing Security Culture

True executive support will be reflected in an organization’s overall culture; typically, this is understood as the collection of values, expectations, and practices embraced by your team. 

Is security a value? An expectation? A regular practice, and not an afterthought?

As Wendy Nather, head of advisory CISOs at Cisco, says:

“Culture is often waved off as the annual awareness training that compliance mandates. But security culture is a lot more than that. I would summarize that culture is what you do every day. When you have a strong security culture that helps support your employees, your partners, and your customers, it helps everyone make the right security decisions each day. In our study, having an excellent security culture resulted in the highest increase in security resilience: 46 percent over not having it.”

How do you foster that excellence? One way is to counteract the belief that security is all about boring training: dull PowerPoints and uninteresting security posters.

As Samantha Davison, Security Program Manager at Uber points out, making learning fun will increase the likelihood that the behaviors will be integrated with your team’s story:

“Security can be so much more than PowerPoints and videos. Pick a fun theme and parody it—we did Game of Thrones. Give gamification a try. Throw a phishing writing workshop and have your employees write a phishing email for the company. The options are endless when you start to think outside the box.”

3. Sharpen Your Detection Capabilities

As a healthcare provider, you want the best tools to identify diseases and apply the best treatments. 

What if you looked at cyber threats (a different kind of invisible virus) the same way? After all, they can kill or severely harm your patient too.

This means that as threats continue to grow and evolve, detection capabilities need to be cutting-edge as well. Have your security teams ramped up their detection abilities? Will this be an ongoing process? 

Start with prioritizing: 

  • Which threats are of most concern right now? 
  • Do we have visibility for detecting these threats?

Then, expand to scenarios where you anticipate broken facets of the system, and how you’ll fix them.

Hear Wendy Nather again:

“One key we discovered was to not just do things like drills and penetration exercises more often; it was to have variation in what you practiced. Chaos engineering, or a Chaos Monkey, can randomly break things so that you can practice detecting, responding, and fixing them. Organizations tend to have their favorite scenarios and tabletop exercises that they do over and over. 

But when you have something that is chaotic and random, it makes you respond to things that you never thought of before. Because with security, you’re always facing things you’ve never seen before. So, practice frequently and invariably and involve not just the security team, but as many different business areas as possible.” 

Lastly, Cisco points out that growing more resilient isn’t meant to imply you’ll never be hacked. We’d like to think we can vastly decrease the probability; still, it may happen. As noted, hackers are ever-evolving in their methods to try and stay a step ahead.  

If such is the case, the focus must be on mitigation strategies that get you up and running quickly.  

We end on a thought, however, that almost never is applied to hackers. It springs from a quote that is widely attributed to Tzu:

“It is easy to love your friend, but sometimes the hardest lesson to learn is to love your enemy.”

(Yes, we know “Love your enemy” has more established roots than this, even if the quote wasn’t his).

Love someone who wants to profit at your expense? What is Tzu getting at?  

Loving an enemy doesn’t mean trusting them, or liking what they’re doing. What it does mean is caring enough about them to thwart their ability to hurt others – as well as themselves.

Becoming security resilient will therefore have a global impact: you take away one more reason for hackers to be emboldened.

May healthcare grow in resiliency in this coming year. Lean on HIPAA Vault to help you grow stronger!