A nonpartisan Commission on Enhancing National Cybersecurity (the “Commission”) was created by the Obama Administration and charged with assessing the current state of cybersecurity and recommending actionable steps that the government, private sector and the nation can take to improve cybersecurity. These findings are set forth in the Commission’s Report on Securing and Growing the Digital Economy (December 1, 2016). Many of the findings in the report help illuminate why cybersecurity is so difficult to achieve. But, the report also sets forth recommendations for better cybersecurity in the future. Findings of particular relevance to the health sector are highlighted here and placed into context.
1.Technology companies are under significant market pressure to innovate and move to market quickly, often at the expense of cybersecurity
A challenge that many healthcare organizations face is finding enough time to assess vulnerabilities and manage them. Many software applications and devices have not been designed with security in mind. As stated in the report, many products are rushed to market and security features are added later as an afterthought. The Commission specifically states, “Security features later may be added to subsequent versions of a product, but doing so results in a product with inferior security compared to one that has security integrated into its initial design and development of a new product.”
The Commission, however, recommends that these companies adopt secure coding practices and develop and use better tools to reduce the number of exploitable vulnerabilities in software products. Some resources that software development companies can turn to include, but are not limited to, secure coding standards and threat modeling resources. Imagine a world where healthcare organizations can devote more time to taking care of patients instead of fighting with technology—more secure products would be a boon.
2.The attacker has the advantage
Cyber-attacks often originate from highly skilled cyber adversaries, such as nation state actors and organized cybercriminals. But, these skilled adversaries also design and release attack toolkits to enable less skilled malicious actors to also participate in cybercriminal activities. As stated in the report, “The cost to attack a system is only a fraction of the cost to defend it.” Defending a system is much more expensive.
Additionally, to avoid security incidents, the security team has to be right 100% of the time. There is a solution, though, for health sector organizations: either hire an external penetration tester or have someone on your team with the skills (or, having the external tester teach your team how to pen test). The best way to defend is to think like an attacker.
3.Consumers are not yet demanding cybersecurity and privacy protections
The Commission states that consumers do not seem to be demanding cybersecurity and privacy protections. But, this will likely change with the anticipated increase in security incidents in the future and consumers becoming more aware of cybersecurity risks associated with products and services that they may purchase. The health sector, too, has experienced a sharp increase in the numbers of security incidents. Yet, many healthcare organizations are still buying products and services on the basis of up-front cost efficiency—i.e., the lowest bidder wins—but not necessarily based upon integrated security features that a product or service should ideally have. Many healthcare organizations also do not have sufficient numbers of skilled personnel on their security teams to adequately address the risks in these relatively insecure products and services. Furthermore, more breaches and significant security incidents—especially ones which may jeopardize patient safety—will likely have a negative effect on organizational goodwill and thus decrease the numbers of “willing consumers” at healthcare organizations.
4.Public-Private Efforts to Achieve Cybersecurity
As acknowledged in the Commission’s report, “[t]he federal government has the ultimate responsibility for the nation’s defense and security and has significant operational responsibilities in protecting the nation’s rapidly changing critical infrastructure.” This also includes the realm of cybersecurity.
But, the Commission’s report also states that “the federal government should work closely with the private sector to define a new model for how to defend and secure this infrastructure.” Clearly, the “model” which is currently being used by the private and public sectors to defend and secure is not working. A new model is needed, which addresses concerns such as supply chain integrity and security (addressing both intentional and unintentional vulnerabilities which may be introduced at any time along the supply chain), the security of a product or service throughout its entire lifecycle, and the multiple dependencies that organizations may have on other critical infrastructure sectors (and the need for a coordinated and unified response, in the event of disruption or failure of one or more of these sectors). Too often, private sector organizations do not plan for failure and lack business continuity and disaster recovery plans for their own organizations (and they likely do not consider the potential cascade of failures which may occur, based upon other critical infrastructure sectors upon which they may depend—e.g., the transportation, energy, and communications sectors, to name a few).
Private sector organizations can improve this situation by developing (and regularly testing) business continuity and disaster recovery plans to prepare for manmade (e.g., denial of service attacks, ransomware, insider threat activity, and otherwise) or natural disasters. They can also align their operational plans with the National Cyber Incident Response Plan so that the government provides them with assistance in the event of a significant security incident.
Private sector organizations can also continue to collaboratively build—with the federal government—the NIST Cybersecurity Framework to reduce risk within and outside of critical infrastructure. This Framework may be adopted to reduce cyber risk. The Framework may also be used by medical device manufacturers and others to reduce cyber risk, as previously stated by FDA.
5.Cybersecurity Workforce Gaps
There is a profound shortage of skilled cybersecurity workforce members in both the public and private sectors. While the cybersecurity workforce is expected to grow, it is not growing fast enough to keep pace with the growing cyber threats. A recommendation by the Commission is that the next President should initiate a national cybersecurity workforce program to train 100,000 new cybersecurity practitioners by 2020. The Commission also recommends that boot camps be stablished to identify underrepresented populations of cybersecurity workers, such as women and minorities. Additional recommendations are made in the report to help bolster the numbers of qualified cybersecurity workforce members.
Improving the state of cybersecurity is a top national priority for the public and private sectors. The United States is a leader in technology and should be a world leader in cybersecurity. The health sector, too, should be a model sector for cybersecurity adoption and advancement.
Too much is at stake for the private or public sector to delay making improvements to their cybersecurity programs. These actions must be taken immediately, given the steep upward trajectory of malicious cyber activity. Hopefully, too, the private sector will be able to provide input and perspective to the next Administration with respect to their cybersecurity challenges, solutions, and needs