H-ISAC aims to foster trust and cooperation amongst members with the objective of achieving a more secure digital health environment. How does H-ISAC achieve this and where are the greatest challenges?
I actually think, in general, that the sharing is fairly good within healthcare and the ISAC, especially amongst the larger organisations. It’s harder for smaller organisations which either, don’t have a security operation or resources, don’t understand the importance of sharing information or being part of a trust community, or don’t prioritise security. I think that education and sharing experiences among members is the best way to make the smaller organisations aware of the opportunities the ISAC offers.
When it comes to medical device security, the issue is very complex. Manufacturers and healthcare delivery organisations (HDOs) can have contentious relationships. Within HDOs there are a number of stakeholders that often operate in silos. The regulators are also different for manufacturers and HDOs so the entire ecosystem is fragmented. It is very important that all stakeholders work together to solve security problems. In H-ISAC, we have a Medical Device Security Information Sharing Council which is co-chaired by a manufacturer and an HDO. We purposely did this and the goal is to ensure that both parties understand each other’s issues and perspectives so that everyone can work on challenges together.
Is healthcare management sufficiently concerned with cyber security?
In some organisations, there is focus. But really what we should be doing across industry is to change the conversation from one of cyber security to one of enterprise risk management (ERM). Cyber is just one component of the risk to the enterprise. If an organisation deploys ERM correctly, it will understand the ‘crown jewels’ and build its risk management strategy out from there. Of course it also means knowing what the threats are, who the threat actors are and what their motivations are – which is part of information sharing – as part of the equation. I don’t think healthcare, in general, is able to tackle that yet.
When it comes to physical security, are the issues of developing trust similar to those of cyber security?
I actually think the sharing in cyber is better for a variety of reasons. One is that there is machine-to-machine sharing so those indicators get shared automatically. Second, most of the infrastructure is within the private sector and industry understands one person’s defence becomes everyone else’s offence. Traditionally, the physical security teams have been mostly former law enforcement and the community has tended to be very close fisted. Also, government had access to intelligence that wasn’t available to the private sector so, unless one had a clearance or need to know, information wasn’t freely shared. Trust exists but it isn’t as broad.
What do you anticipate for both cyber and physical threats in healthcare in the next five to ten years and how can they be addressed?
We see incidents stemming from old malware and vulnerabilities that will most likely still be around five years from now. The Nigerian prince and romance schemes still exist because they work! That being said, attackers will always find ways to take new technologies that come into play and that are connected to the Internet to achieve their goals. We just need to be aware and always mindful of the potential risks that can come from a lack of availability of resources and integrity of data. We also need to be very cognisant of cascading impacts from incidents that target other organisations, such as an attack like Petya/Not Petya that targeted a country but ended up affecting numerous large and small organisations to the tune of billions of dollars. Hurricane Maria in Puerto Rico was another example of cascading impacts from other sectors on the pharmaceutical and medical supply chain.
Read entire HealthManagement.org article here: https://healthmanagement.org/c/healthmanagement/issuearticle/fighting-cyber-threats-with-a-global-community