Non-stop and increasingly sophisticated cyberattacks are taking a toll on the United States healthcare Industry, which has lagged in cybersecurity and privacy investment relative to other sectors for some time. As a result, we have fragile systems that we now see collapsing under attack. Unfortunately, a growing list of healthcare providers has been unable to carry out their mission effectively for weeks or even months while trying to recover their systems following an attack.
Historic breaches of the privacy and confidentiality of health information and the associated costs were bad enough, but now the impacts of the attacks are getting worse. We now have examples of cyberattacks that have directly impacted patient safety and even include allegations of attacks resulting in patient deaths.
Fall out in the form of regulatory action, lawsuits, and increasing limits on and premiums for cyber liability coverage are getting the attention of investors and senior leaders who previously saw cyber as simply an IT problem. They are now asking questions and seeking information to understand how safe their organizations are from similar attacks and consequences. In response, many healthcare organizations are now making the necessary investment to prepare fragile systems and programs to recover from cyberattacks.
Many cybersecurity professionals and firms talk of the importance of building “resilient” cybersecurity and privacy programs. Unfortunately, having a cybersecurity and privacy program that delivers resilience is not enough in today’s world. Resilience, by definition, is the ability to recover quickly and spring back to shape. In the context of a cybersecurity or privacy program, a resilient program facilitates the organization’s ability to limit damage and promptly return to its previous state of normal operations. While this ability is certainly not a bad thing and something that all organizations, at a minimum, should strive for, returning to its previous state when that state allowed for a successful attack is not enough.
Proponents of resilience will no doubt push back on this conclusion. They will claim that in addition to returning to normal, they also fix the vulnerabilities that allowed the attack to succeed. They will claim that in doing so, they are making the organization stronger or hardened against similar attacks. Whether they realize it or not, what they are describing is not simply a resilient system but also an adaptive one. Adaptive systems correct previous mistakes or weaknesses after they are exposed. Like resiliency, this, too, is a good thing. Indeed, we should have a program in place that learns from and can better respond to previously proved harmful situations. Yet again, this is insufficient in today’s dynamic environment.
Threat actors attacking the healthcare industry today are, in many cases, highly sophisticated. They include international criminal organizations and sophisticated nation-states. They are not static in their approach. Instead, they are continually learning and adapting, changing their strategy to account for the defensive measures deployed against them. A recent example of this adaptation is the basic ransomware attack escalating to double and now triple extortion attacks.
What this means for healthcare organizations is that the defenses you put in place to defend against yesterday’s attack are very likely not enough to stop today’s assault. Having a resilient and adaptive cybersecurity and privacy program when faced with attackers such as this will continue to place healthcare organizations in the role of victims. Of course, some organizations will be more resilient than others, reducing the relative costs of a successful breach. Others will be quicker to adapt, shortening their exposure time to known attacks. Overall, organizations that focus exclusively on resilience and adaptivity will always play catch up and always be reactive instead of proactive.
Organizations need to go beyond developing programs that have the properties of resilience and adaptivity and adopt programs that include the property of antifragility to better deal with the dynamic threat environment. Antifragility is a property of systems that tend to gain capability or get stronger when attacked or stressed. Author Nassim Nicholas Taleb initially coined the term in his book Antifragile: Things that Gain from Disorder and associated technical papers. We see examples of systems that have this property often in nature, including in the system we are all perhaps most familiar with, human bodies. Anyone who has exercised and got more robust as a result has experienced antifragility firsthand. We stress or damage our muscles, and they grow back not to their previous state but instead grow back stronger.
Adopting or encouraging the properties of antifragility holds much promise in cybersecurity. That is why leading cybersecurity thinkers have moved beyond a focus on resilience and adaptivity to explore how we can introduce and encourage the property of antifragility in our cybersecurity and privacy programs.
Building on our exercise analogy, we can use more frequent and varied stresses to strengthen the program over time. For example, an organization may conduct more diverse and frequent pen tests instead of the industry’s traditional annual pen test. By increasing the frequency and type of testing and narrowing the scope, an organization can keep the cost manageable while learning and growing faster. Targeting specific areas of interest and using the most up-to-date exploitations creates manageable improvement opportunities and accelerates the strengthening of the program.
Taleb also proposes a barbell strategy. Like the weights on each bar end, a barbell strategy is two-pronged. One prong takes a strategic defensive attitude to minimize downside risk, and the other prong willingly takes risks that offer significant upside. This approach has numerous benefits, including increased survivability, the most efficient allocation of resources, and the potential to implement solutions that will protect the organization against more than existing known threats and vulnerabilities.
To develop the risk-averse portion of the strategy, an organization needs to truly understand the minimum necessary state of IT required to operate. Typically, organizations achieve this through a Business Impact Analysis. During the analysis, the organization focuses on identifying those business processes and supporting systems essential to execute the mission and how much downtime the organization can withstand in these systems. The organization needs to understand the minimum necessary to continue operation or the organization’s survivability.
After the organization understands the minimum necessary capability, the organization should seek to understand the risks to the IT systems and components supporting that capability. To understand the risk, the organization will need to:
- Determine the threats and vulnerabilities to the IT systems and components identified as critical during the Business Impact Analysis
- Assess the controls currently in place to protect the confidentiality, integrity, and availability of the systems, components, and data.
- Analyze the likelihood of the threat successfully acting on the vulnerability and determine the impact to the organization if that were to occur
This understanding is accomplished through OCR-Quality® Risk Analysis. OCR-Quality Risk Analysis® is a risk analysis that looks at risk not just at the organization level but down to the IT system and component level.
Often an organization will set a risk threshold that they apply to all risks, accepting any risk below this threshold and only considering other treatment options for risks that exceed the threshold. Incorporating antifragility, the organization may choose to mitigate, avoid, or transfer risks associated with systems and components supporting the minimum essential state even if those risks are below the threshold and that the organization would otherwise accept for less critical systems. In this way, the organization adopts the defensive risk-averse prong of the barbell strategy.
On the other end of the barbell, an organization can allocate a portion of its security investment to experiment in solutions that are higher risk but offer great upside rewards. Examples might include testing technologies or services that others have not yet tried but that hold great promise if practical. Another option is to investigate solutions that might fall into the not now but maybe in the future bucket. The organization should accept that many of these bets will not pay off. However, those that do should pay off significantly.
An organization may also implement the barbell strategy from a staffing perspective. The organization should consider hiring both individuals who are highly organized and risk-averse as well as creative risk-takers. Focus the risk-averse on securing the critical systems and business process while allowing the creatives to explore hard problems, new solutions, or ideas.
As you further develop your plans for 2022, I challenge you to go beyond resilience and adaptivity and consider the steps your organization needs to take to build antifragile cybersecurity and privacy programs.
To learn more about how to approach Business Impact Analysis and OCR-Quality Risk Analysis®, access these on-demand programs:
- Business Impact Analysis in Action at USAP
- Understanding OCR-Quality® Risk Analysis: A Discussion with Former OCR Director Roger Severino
Reach out to me with your comments and questions at jon.moore@clearwatercompliance.com