Healthcare cybersecurity needs a dose of threat modeling

If healthcare cybersecurity can keep healthcare CIOs up at night, they're getting virtually no sleep during the COVID-19 pandemic.

Ransomware attacks have become more common and the consequences of those attacks more serious since the pandemic began. Recent events include the ransomware attack against Universal Health Services that shut down the IT network of all 400 of its healthcare facilities in the U.S., as well as an attack on a hospital in Düsseldorf, Germany, that potentially resulted in the death of a patient.

According to cybersecurity expert Josh Corman, there are steps healthcare CIOs can take now to prepare for cyber attacks. Corman, co-founder of nonprofit cybersecurity volunteer organization IAmTheCavalry.org, recently joined the Cybersecurity and Infrastructure Security Agency (CISA) as a senior advisor to help with COVID-19-related activities such as the supply of personal protective equipment (PPE) and the cyberthreats facing that supply chain. CISA serves as the nation's cybersecurity risk adviser and provides cybersecurity tools and risk assessments to critical infrastructure partners, including healthcare organizations.

In this Q&A, Corman shared how threat modeling and data backups can make a difference for a healthcare cybersecurity program.  

What have you seen in your CISA role on security issues related to COVID-19? 

Josh Corman

Josh Corman: In the early days, we had concerns about not overwhelming health delivery organizations or the vital supply chains. This was mostly economic adversaries that were targeting the lifesaving resources during a pandemic. This was to secure the response either in points of care delivery, those supply chains for vital parts, and misinformation campaigns to undermine confidence in the public to trust their government or their healthcare response.

During my onboarding, the U.S. government put significant money and a whole government approach into Operation Warp Speed, which has become a larger part of my responsibility. Operation Warp Speed is to accelerate the development and distribution of vaccines, therapeutics and diagnostics. In that capacity there is significant effort from the Department of Defense, Health and Human Services, the Central Intelligence Agency and the Department of Justice, but we play a key role in risk management and delivering services proactively and reactively to many of these vital entities that are in that entire supply chain from vaccine research all the way down to the administration into somebody's arm later. I brought a lot of my private sector expertise to do supply chain risk analysis to make sure we can rapidly identify, connect with, offer services to, and identify gaps and areas for improvement so we have the best foot forward to make sure there's no delay in that vital lifeline.

What's one way healthcare CIOs can take action to improve healthcare cybersecurity today?

Corman: There is a concept that's often skipped called threat modeling, which helps you look at the architecture of what data flows from one place to another or what are the trust boundaries. If [the system] is compromised, what's the worst it could do? Think of it like a submarine; you could have a flood in one compartment without sinking the whole ship. So a good threat model anticipates leaks will happen but can contain them to one spot.

I can't stress enough the critical importance of backup, offline storage and restoration regimes.

Even if you didn't think to do it in advance, you can do a retroactive threat model on any of these new innovative IT services you've pulled together. You can then talk about adversary situations. For example, if someone wants to steal information from here, how could they do so? That's the obvious one.

The less obvious one, back to my information operations concerns, is if you were to mess with the integrity of the data and direct people not to the nearest place to get [a COVID-19] test but rather to the nearest fast food restaurant, people would no longer trust your medical institution or, maybe, the government. So whether it's sowing seeds of doubt through integrity attacks or stealing information, threat modeling can be a very useful way to anticipate who might come after what, where the weakest spots are and how to instrument [architecture] to know when [an attack has] happened or recover if it has already happened.

Going forward, what should healthcare CIOs be doing to make their healthcare cybersecurity programs more robust?

Corman: Ideally, we want to prevent compromise from attacks, but when you can't, when you get knocked down, it's important to get back up quickly. So, I can't stress enough the critical importance of backup, offline storage and restoration regimes. People pay risk services to do it, but it's not often funded by the security teams. It's usually funded by the IT teams and it can be a vital part of disaster recovery. The issue is when you don't have a good backup storage recovery campaign, the ransom can sometimes compromise the backups as well if they're not stored offline. It's not a product, it's a practice.

Related to that, I'm a huge fan of tabletop crisis simulations. You introduce a fictitious ransom and you test how the organization handles it. … You do what you're supposed to do, you bust out your playbook if you have one, and you usually fail in different, novel ways each time. But the key is, just like our kids going through a fire drill and learning where the exits are, we want to know where we're going to fall down.

Editor's note: Responses have been edited for brevity and clarity.