A bang, not a whimper
2020 has clearly started with a bang, not a whimper. Currently, we face a highly volatile international political situation that could include a cyber warfare component. Most healthcare organizations have never planned for this type of attack, so prior risk conversations never prepared healthcare organizations to accurately plan for the potential adverse impacts. Consequently, CISOs and CFOs should use this opportunity to revisit their risk equation.
We witnessed an unprecedented number of cyber attacks in 2019, with ransomware far more prevalent than hacking to steal information just five years ago. Risk was relatively easy to calculate when all we had to worry about was hacking. The likelihood of risk was either Low to Medium (depending on the security maturity), and the impact would be Low but at most Moderate (primarily driven by the cost of patient notification). Using this analysis, CFOs could justify underspending on security because the overall level of risk didn’t justify a higher investment compared to other issues.
With the introduction of ransomware, the likelihood initially didn’t increase significantly, but the adverse impact increased to Medium or High because of the long-term disruptions to patient care. Operational impacts also changed including interruptions to the revenue cycle lasting weeks to months, cash flow shortfalls exceeding several million dollars, timekeeping and payroll disruptions, and supply chain interruptions. Even this increase in risk did not justify a significant security budget increase because the rate of infections (likelihood) were still relatively low. That started to change rapidly in 2018 when healthcare took an improportate share of the attacks (79%) as compared to governments and educational institutions combined (21%) according to one study.
2020 will be different
The high potential for a cyberwar caused by political tensions with Iran is changing the risk equation. In cyberwar, the size of the adversaries’ army is not as relevant as the capacity and experience to conduct a cyberwar. The difference between data theft, ransomware, and cyber war is the motivation of the aggressor. If we have a cyberwar, no longer will attackers limit damage so as to incentive the victim to pay, but rather they will inflict long-term damage and influence public opinion.
Ever since the Stuxnet attack on Iran’s nuclear program in 2011, Iran has built and demonstrated an offensive cyberwar capability to inflict permanent damage on their political adversaries. Those ‘wiper’ attacks have the ability to permanently destroy computer systems and the data contained. Iran has demonstrated both capabilities and willingness to use this type of attacks on their adversaries, including Saudi Arabia’s oil industries on three separate occasions. For victims, the only recovery option is to install new hardware and rebuild systems from scratch.
How does this impact healthcare?
Healthcare providers’ security programs are weaker than many other industries for a variety of reasons. Consequently, healthcare’s cyber resilience plans are largely not prepared to provide patient care and support hospital operations for an extended period of time without computers and phones. If the U.S. experiences a targeted cyber attack directed to healthcare providers, we should expect attacked organizations to not only revert back to paper medical records, but also revert back to paper or manual processing of all other supporting functions like payroll, supply chain management, and claims processing.
So how does this threat impact the risk equation? First, healthcare organizations should reevaluate their cyber resilience program. Focus on the ability for all departments to function for an extended period of time without fully functional IT systems or even phones. This should include frequent incident response exercises that include all departments outside of the traditional IT participants. These exercises should be based on realistic scenarios and include assumptions that other organizations may experience simultaneous attacks – so outside assistance, including the availability of new hardware, will be restricted.
Organizations must also admit that previous risk ratings have been inflated to the point at which there is little room for more serious risks. This happened because we have ignored the potential destruction of computers requiring a lengthy recovery period. Organizations that have previously classified ransomware as a high risk must either reclassify it lower to make room for cyberwar, or create a new risk tier of very high risk. With this new tier of risks, investment decisions should be easier to justify. Gaps discovered during the cyber resilience exercises will likely identify new very high risks.
Not all gloom and doom
We should take advantage of the current political tension to evaluate and fix gaps in security programs. The Chinese word for crisis is a combination of two words: Danger and Opportunity. As Winston Churchill stated, “Never let a good crisis go to waste.”