Posted on 13/11/2018 by
Dirk Schrader, VP security at Greenbone Networks and certified information security manager, discusses the need for sustainable cyber resilience and how healthcare organisations can achieve such a state for their own information processes and data processing systems and assets.
Keep a hospital in operation has a lot to do with keeping IT-based systems and processes working. If the PAS isn’t available to admit a patient, the PACS cannot retrieve a required X-ray, or the ICU system monitoring patients is affected, and the core functions of a hospital are severely hampered.
Do you remember May 2017 when WannaCry hit, and its coverage in the media made it one of the most discussed cyber-attacks ever? Patients were asked to stay at home and not to come in for a necessary treatment. Since then, the world has seen many other examples of attacks against IT-infrastructure and data in the health sector, like in Norway, Singapore, Germany and Australia. That more events like Wannacry will be seen in future seems inevitable.
Changing information security paradigms
One reason we will see more cyber breaches is that the paradigm for information security in the health sector is still focused on the attacker instead of considering one’s own cyber security posture. That seems particularly odd in a sector where health promotion, “the process of enabling people to increase control over, and to improve, their health,” is an element of the WHO charter aiming at increasing people’s resilience to health issues.
In the cyber world there is a similar way to increase the resilience of a given IT-infrastructure, and IT-based processes. Cyber resilience is achieved when you successfully address the core elements of a cyber-attack. Any cyber-attack needs three elements to be successful:
- The capability of an attacker to carry out the attack;
- The reachability of the target for the attacker;
- A vulnerability the attacker can exploit.
For the first element, no one can stop a cyber-criminal from learning new methods to attack or from developing new attack schemes to expand his or her capabilities. We should also use the internet to keep ourselves up-to-date about those new techniques and attack vectors.
Old fashioned, standard approach
Related to reachability, current cyber defence strategies in the health sector focus on using available technologies to monitor, police, and block the reachability of a targeted system from the outside in an attempt to stop an attack while it is happening. This strategy is attack-oriented only. It tries to detect an attack while it is happening, and to deter an attacker by increasing the cost of an attack using a somewhat bigger defence technology, thus creating a bigger wall to breakthrough.
Attackers evade those reactive mechanisms using numerous techniques and aim at the vulnerabilities within the target’s IT infrastructure. Symantec’s research states that in the last four years, about 1.5bn new variants of malware have been generated in exploit kits used by attackers. The other interesting fact is that these exploit-kits target approximately 800 vulnerabilities, the third element of the list above.
The resilience leverages
Existing vulnerabilities in a given IT infrastructure (and there is not a single one without them) form an attack surface that can be exploited. The smaller that surface is, the longer an attacker has to spend to try to break your cyber security, making other, easier targets more attractive. Managing IT-related vulnerabilities reduces the attack surface and increases the resilience of the infrastructure and also the cyber resilience of a hospital’s processes.
Managing vulnerabilities in a process-oriented, asset-ware manner reduces the risk related to digital assets in your infrastructure.
For more details about sustainable cyber resilience in health sector, please check out our White Paper: greenbone.net/en/whitepaper/health