There is a saying in the military – You go to war with the army you’ve got, not the army you wish you had. The same is true in the battle against Covid-19. The time has passed for tabletop exercises and carefully crafted policies about cybersecurity. We are in the fight now. We all wish that we were better prepared. Every organization, in every war, has felt the same way. However, we have to make do with what we’ve got, be aware of the cybersecurity events playing out, and understand how to reduce risk even in the midst of a crisis. Right now, many cybersecurity warning signs are flashing red. Here are some things to consider.
Racing Products to Market Invites Security Flaws
The race is on to create and field new medical technologies over timeframes of weeks or months. Some will work just fine, but be insecure. Sadly, attackers will target lifesaving technologies and those that produce them, even in the midst of a global emergency. Yes, given the choice between no ventilator and any ventilator, the choice is easy, but producers should still give their best effort to incorporate security. Users in a crisis don’t have time to read the manual and securely configure devices themselves. The time saved through secure design could literally mean the difference between life and death of patients.
Operational Security (OPSEC) Failures are More Dangerous
During a crisis, an OPSEC failure isn’t just embarrassing, it can be life-threatening. Social media provides far-reaching means to share sensitive information that really shouldn’t be made public. Perhaps it is a hospital employee’s badge, a password hanging from a monitor, tales of software in use, news of a shipment of scarce supplies, or internal-only jargon that could be used for social engineering, OPSEC damage is limited only by the person sharing information and the creativity of the attacker consuming it. In today’s environment, we should think twice about sharing work-related information, even if it appears innocuous.
Physical Security Just Got a Lot More Complex
Physical security was difficult in the best of times as many medical devices were necessarily left without staff to watch over them. Similarly, exposed network ports were commonplace in some facilities. Now, overworked and distracted staff working in war zone-like environments creates an easier opportunity for physical access-based attacks. Everything from theft, to installation of malicious software and hardware, to stealing of credentials is now a lot less difficult. Remaining vigilant especially at times like these is important.
A Crisis Creates Security Vulnerabilities
Security isn’t easy even on a good day when everyone is on top of their cybersecurity game, and today is not a good day. Attackers will shamelessly exploit their new-found advantage. We’ve seen ransomware laden Covid-19 tracking apps as well as a mix of state-sponsored and criminal attacks against the World Health Organization, hospitals, and a vaccine testing facility.
Medical organizations are off balance and struggling with PPE, equipment, and staff shortages. Virtually every organization that can, has shifted to remote work, thereby dramatically increasing their corporate attack surface to include personal networks and devices. Attackers like to get the highest ROI from the resources invested and so, the larger and more critical the application, the more it becomes a target. Less widely-used technologies like video teleconferencing software now have a spotlight on them.
Crisis creates chaos and fewer eyes watching for malicious activity. Also, busy people make mistakes. One misconnected network cable or ill-considered use of a thumb drive can bypass a hardened security perimeter. Busy people take shortcuts too. We can’t assume patching is taking place, even while updates are doubly important. In a crisis, ignoring security is a natural reaction. However, ignoring security just when you are most “interesting” to attackers and vulnerable is dangerous. We shouldn’t forget our basic blocking and tackling even in these times.
Disinformation and Misinformation is Rampant
As we’ve seen in recent major crises, cyberspace provides the means of spreading misinformation (incorrect information stemming from an error) and disinformation (deliberately false information). There are numerous reports of threat actors actively spreading falsehoods to hurt the response to Covid-19, create division and undermine leaders. Countering these efforts is difficult, as truth can lag fiction, especially at first.
An Increase in the Human Attack Surface
The attack surface of healthcare providers hasn’t just increased in terms of technical footprint. Many new employees are being rushed to the fight. We can’t assume these individuals have the same level of security training as full-time staff. There will be many unfamiliar faces in the workplace including people attempting to volunteer or provide supplies. Social engineering may be easier. Critical decisions may be made in the heat of the moment and will err on the side of mission accomplishment and not security. People are more vulnerable. Medical professionals, patients, and their families are at increased risk, both at home and in medical facilities. We might find traditional controls like one password per person and not writing down passwords, go out the window. Extra vigilance is required, but must be balanced against today’s crisis realities.
Teamwork and Collective Defense Will Win the Day
Wars are rarely won because of individual heroics, but by many people working together. Unfortunately, Covid-19 strikes at the heart of teamwork because physical proximity to others is dangerous. However, the virus doesn’t negate the power of working together and we are sorting through safe ways of both physical and virtual collaboration. With the rise in cyberattacks against already stressed healthcare organizations, finding ways to improve teamwork and defenses, while reducing inefficiencies is a way to make progress. Cybersecurity staff can work with peer organizations to share threat information, collaborate on analysis, and share subject matter expertise and best practices. After we emerge from today’s emergency, I hope collective defense and an enhanced teamwork approach in cybersecurity becomes the norm before a crisis, not just during. Later, we can work to further improve sector-visibility of threats, conduct cybersecurity incident response drills, and increase interoperability.
The list above describes challenges we face now and potential solutions. Perhaps the most important solution of all, though, is to learn from this experience. As historians like to say, history doesn’t repeat, but it does rhyme. As we emerge from this crisis, we will have the opportunity to systemically consider what happened, why it happened, and how we could do better in the future. Taking careful note now will help preserve this valuable, but perishable knowledge as we reflect on medical cybersecurity in the future. What we learn is up to us.
Photo: kentoh, Getty Images