How High Will We Go?

Image credit:

Last year Ponemon reported information security incidents cost the healthcare industry more than $6.2 billion. I expect this year that number will continue to increase.

One reason is the number two cost vector cited in the report was ransomware. Ransomware incidents are not on the decline. TrendMicro reported in August that just the first half of 2016 had seen a 172% percent increase in ransomware incidents over all of 2015 combined.

Another reason is the importance of information availability in the clinical environment. Where other industries may sardonically quip, “it’s not a matter of life and death,” in healthcare, it quite literally is. As an analyst at ESET put it, “Criminals know this and are deliberately targeting medical organizations.”

Collectively, those of us in the information security field hold a special trust and confidence with those who share personal health information. We need to do a better job of controlling risks to that information, and advocating to those who may not completely understand risk but approve budgets, the need to allocate resources.


The Power We All Depend On

In most of the United States, the power is on 24x7x365.  Some areas still encounter outages due to weather, but those outages can be anticipated.  Times are changing and now national, or at least regional outages lasting days or weeks are possible.  What used to be a theoretical concern, from the Cold War or from prepper hyperbole, must now be weighed in earnest during risk assessment and disaster recovery planning.  And here is why.

Both EU institutions and the US energy sector recognize the vulnerability of the electric grids we all depend on.  And industry experts point to the rising frequency and sophistication of attacks.  What is worse, and possibly a sign of things to come, is the coordinated large scale efforts to attack power grids at precisely the time when we are all most dependent and hence most vulnerable, as happed in Israel this week.

For the typical IT engineer, CIO, or IT Director, redundancy is the name of the game.  Data backup, power backup, and even co-locations provide assurance that if the lights go out, the enterprise can maintain operations.  But there is a missing component to this strategy: the certain knowledge that this system will be used.  What I am suggesting is that there needs to be passion and urgency, not just planning and testing.

It is only a matter of time before a well-planned, coordinated, and intense action to disrupt or destroy the US power grid, internet, or other critical infrastructure is attempted; whether from state sponsored agents or hacktivists it won’t matter to the institutions that are hurt.

The question becomes, what more needs to be done?  To start, those who are responsible for the management, planning and testing of enterprise business continuity management must analyze scenarios in depth.

For example, a company headquartered in Palo Alto, CA with a co-location in Las Vegas, NV is still vulnerable if the Western Interconnection (the power grid for the entire western US) is offline for an extended period of time.  To be fair, smaller companies and government agencies may not have the resources to be thinking beyond the state they reside in, let alone the continent, but thinking in terms of large scale events that show growing likelihood of occurring cannot be left to the largest organizations with deep resources.  Indeed, our first responders, hospitals, and community leaders are those who we implicitly rely on to put the most well thought plans in place to provide safety and security with only limited allocations of resources.  Likewise, the incident response plan must make the most with what is available, and address the risks to the most critical aspects of the enterprise.

Whether as a tangential part of the controls implemented in the information security management system, a full application of the ISO 22301 management system, or another system, every company that wishes to remain a going concern the day after crisis strikes must plan, implement, test, and improve their crisis response, disaster recovery, and continuity management.