Article Written by Cliff Kittle and Mary Chaput Originally Published on beckershospitalreview.com on September 05, 2017
It is natural, given their business of treating the sick, for those in the healthcare industry to be reluctant to describe the threat to patient information security and the possible danger to the welfare of a patient as “war”.
While the industry may not like the term “war”, and may refuse to see the threat environment it is confronting as one of “war”, the fact of the matter is that reluctance and denial does not change the reality of the situation in which the industry finds itself.
Despite the unwillingness to give it a name, the healthcare industry, as a whole, must change its attitude towards every endeavor undertaken to protect patient data and subsequently patient safety. In any effort to change a mindset, the success of such will be determined by the perspective displayed by leadership.
If the evolving threat environment in the healthcare industry is to be effectively suppressed , the current attitude of many of the members of the industry must experience significant change. During the Information Security Media Group Healthcare Security Summit this past November, John Houston, Vice President & Associate Counsel – University of Pittsburgh Medical Center made the comment, “ Threats will continually change, technology will continuously change, business use cases will continuously change; therefore, security needs to continuously change.” Such change requires a change in attitude by executive management and the leaders of the security effort of each organization.
The importance of attitude cannot be overstated. In the Marine Corp, our philosophy was “Attitude is Everything.” As a leader, your attitude will make all the difference in the outcome of any initiative. The leader’s attitude becomes the organization’s attitude. In the case of healthcare information security, the organization’s posture towards protecting patient data and patient safety is reflective of the leadership responsible for the financial viability of the business.
In healthcare information security, Deven McGraw, Deputy Director - Health Information Privacy, Department of Health and Human Services' Office for Civil Rights, has called for industry leaders to develop a war mindset. A war mindset is founded on an attitude that is, too often, foreign to many in the industry. In an effort to assist organizations in developing such a mindset, the whitepaper, “Applying the Doctrine of Maneuver Warfare to the Execution of a Cybersecurity Acton Plan”1 was written. The paper provides guidance on adopting the seven principles of the Doctrine and assisting the organization in implementing the proactive defensive strategy necessary for defending the critical information assets of any organization in the healthcare industry.
What makes cyberattacks so fearsome is their asymmetrical nature. Over the years, the technologies being applied in this cyber war have evolved in volume and sophistication, enabling adversaries to create financial turmoil on “enemy soil” (i.e. the US Healthcare Industry).
The angst these attacks create can have a debilitating effect on every member of an organization if they have not been properly trained and equipped to both contribute to the prevention of an attack as well as to continue to perform their duties during an attack. To win, the proper attitude of every member of an organization, must be developed through effective training. Effective training is achieved through continuous preparation and repetition of each person’s responsibility. Encouraged in the first principle of the Doctrine, “Target Critical Vulnerabilities” emphasizes the need to develop attack scenarios based on the critical vulnerabilities the organization has identified and the current threat intelligence on the tactics of the threat actor community. This exercise of identifying and training on threat-vulnerability scenarios improves the preparation needed to address an attack. The repetition of these scenarios provides the opportunity to strengthen the proper response habits of those involved in such an attack. In the Marine Corp this preparation/training principle, while not met with great enthusiasm, was justified by the philosophy of “Harass your men in time of peace, and war will be a pleasure”. In other words, the better prepared you are before a bad thing happens, the less damage you will experience when it does.
The scenarios serve to set the expectation of the leader and his/her intent in the response. Studies in the field of psychology have confirmed that people perform according to the expectations of the leader. The leader’s expectations are established, in some degree, by the attitude displayed by the leader and further enforced by the training regimen implemented.
Preparation enables an organization to be “Bold” in their decision making which is the second principle of the doctrine. An example of such a “Bold” decision might be the use of the third principle “Surprise”. Sun Tzu in “The Art of War” speaks of surprise as “Appear weak when you are strong, and strong when you are weak”. In both situations, if the organization is prepared, the result will be a necessary but unexpected change in the adversary’s strategy. The Surprise principle creates delays in the attack and allows the defender to dictate the moves and countermoves at a “Tempo”, the sixth principle of the Doctrine, the adversary is not able to meet.
So, while the leadership of an organization may be reluctant to call their information security efforts a “war”, the continuous oversight, regular testing of response scenarios, and repeated employee training advocated by the principles of the Doctrine of Maneuver Warfare is what is needed if the strongest security defense for that organization’s operating environment is to be implemented and adequately maintained. The caveat is it requires an attitude, by leadership, that has yet to be commonly displayed within the healthcare industry.