We all worry about records disclosure, theft and extortion, and disruption of mission-critical services as the outcomes we'd like to avoid. As a veteran of public sector operations, my personal focus has been on those services owned and operated by state and local government, as well as other local-scale infrastructure we colloquially call the “Big Squishy Middle” (BSM). Briefly, those are the organizations that provide services that are critical to our economy, quality of life, and even life-safety - yet are not recognized by the established avenues of assistance that are being provided to the "critical sectors" (oddly and indefensibly defined as being primarily private-sector). Stated another way, the Department of Homeland Security considers Comcast, AT&T, et al. as the communication sector, and works with them extensively. 9-1-1 is the communication sector we care about, and type of infrastructure is what CI was established to address.
As the company has progressed and expanded into other markets, it's become clear just how vulnerable the intersection of health care and IT security really is. This is not about HIPAA - human services departments in local governments maintain plenty of health records and (in many cases) need to comply with the statute. The records are valuable and in demand by criminals. It's about continuity of operations, and what the potential impact of disruption would be - loss of life.
Call center operations have been shut down by telephone denial of service. An entire hospital system in the UK was shut down by ransomware - a problem that is only projected to escalate. And now medical devices have been shown to have been developed with the same (lack of) care as web-connected toys.
At a time when national health care is the subject of debate (a term I'm using quite loosely here) and regulations are being viewed at the federal level as something to get rid of, I think we’re setting ourselves up for quite a landmine.
Back to the BSM.
Just as local governments do not have the resources to compete for professional practitioners to secure, monitor, and respond to incidents in their operations, neither do regional hospitals, clinics, mid-market pharma and other medical research companies. That makes them exceedingly low-hanging fruit for Cyber criminals. The situation is exacerbated in parts of the country outside of the metropolises where there are no practitioners to speak of and a perception that those communities are just too small to be targeted.
Setting criminal intent aside – if a hacker wanted to cause terror, foment dissatisfaction with government, and get people into the streets, regional health entities are highly leverage-able. None of the ransomware activity has escaped the notice of our terrorist adversaries, and they will be looking for the simplest, most cost-effective way to create that terror.
I believe Critical Informatics is in the right business, with the right focus. I hope we have enough time.
Stay informed on all the threats and advances in healthcare cyber security by signing up for our Weekly Healthcare IT Security Blast.
Type your search and press enter
- Threat Intelligence
- Happy Hour
- InfoSec 101
- Security Awareness
- Public Sector
- Financial Services
- Press Release
@critinformatics | Aug 21, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read insights from @seattlemkh on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/lv2f12C9FL https://t.co/a7FaBge9UL
@critinformatics | Aug 21, 2018RT @beyondnegative: Yay for stable internets! Go download my presentation and workshop outline/notes on Github: https://t.co/APcsUxxzS7
@critinformatics | Aug 21, 2018#ICYMI: Learn the 5 key questions that the #CISO should consider when conducting #riskassessment, and how those answers can support budget requests for the #cybersecurity program. https://t.co/lLibAzTUWF https://t.co/cVudQc4f23
@critinformatics | Aug 20, 2018#ICYMI: [VIDEO] It's #NewsJacker time with CI Security's #CISO @seattlemkh! Get caught up all the recent #InfoSec news you need to know, including stories on stolen data, privacy, #InfoSec litigation, Russia’s election meddling, and more. https://t.co/qsixvM7rI0 https://t.co/0Z4waKbRKy
@critinformatics | Aug 20, 2018While enterprises are distracted by the latest AI/ML/SOAR tool, small businesses are getting back-to-basics and moving the #security needle. Read @seattlemkh's insights on how to simplify the #cybersecurity program effectively on a small biz budget. https://t.co/nW5RBUG4k8 https://t.co/83WQ7FqkJ3