What is Cybersecurity Posture?
Cybersecurity posture relates to an organization’s ability to protect itself from cyber-attack, through the use of controls and protocols. In other words, cybersecurity posture relates to an organization’s overall state of readiness when it comes to cybersecurity.
– Does an organization have visibility of all its devices?
– Is it able to anticipate threats and detect vulnerabilities?
– What controls and mitigations are put in place when a vulnerability is detected?
– Is the organization positioned to react and recover when a breach or attack occurs?
When we talk about cybersecurity posture, we are talking about the formalized approach an organization takes with regards to the security of their hardware, software, networks, information and systems. This is not just internally focused but in all areas of connectivity, extending to management of vendors and service providers.
Organizational threats can come from many sources, both malicious and accidental. Deliberate attacks can stem from malicious software (e.g., malware) or cybercrime (hackers). Cybercrime has many drivers – opportunistic hacks, ransomware, theft of IP, industrial sabotage and more.
Threats can be, and often are, accidental. Internal threats can occur when the actions of an individual cause an unexpected or unwanted impact. It could be as simple as an employee losing an access pass or deleting critical data. These types of threats occur without genuine intent, but can still have a significantly negative impact on the organization. Robust cybersecurity posture can protect an organization from all possible threats, no matter the source.
Cybersecurity Posture and Threats to Healthcare Systems
Over the past decade, cybersecurity threats have been increasing in both frequency and scale . The WannaCry ransomware attack in May 2017 was a watershed moment. This worldwide cyberattack exploited a vulnerability in Microsoft Windows. This vulnerability had been uncovered previously but many organizations had failed to react. A crypto worm restricted access to critical information and demanded ransom payment in Bitcoin. The attack crippled healthcare systems around the world. In the UK alone, the attack cost the NHS £92m ($116.4m) and led to 19,000 cancelled appointments.
A similar attack occurred in Ireland in May 2021, where the Health Service Executive (HSE) of Ireland suffered a major ransomware attack and was forced to shut down all of its IT systems across the country. The attack began with a single computer, and one employee clicking on a malicious link, which led to the private data of patients being accessed by a criminal gang. It is estimated that the cost of the attack will amount to more than €100m ($116.m).
Global Regulation and International Standards
Across the world, governments have introduced legislation to reduce cybersecurity risk and to protect the privacy of personal information. Some are general and aim to protect personal information, while others are industry or vertical specific. Industry standards and their regulations have become a complex, and costly burden for organizations.
Regulations and standards provide an overview of what data should be collected and how data and devices should be securely managed. They outline ways to protect connected devices, including security controls such as authentication and data de-identification. Here are just some of the healthcare cybersecurity standards and best practices that have been launched around the world over the past ten years.
AAMI TIR 57
Technical Information Report 57 (TIR57), “Principles for Medical Device Security—Risk Management,” published by the Association for the Advancement of Medical Instrumentation (AAMI), provides guidance to help medical device engineers integrate cybersecurity risk management into the overall development of the device so they can pre-emptively identify and stop potential threats before the device goes to market. Specifically, it provides a list of steps for how to identify and evaluate threats and vulnerabilities, control security risks, and monitor the efficacy of these controls.
UL 2900 Series
The UL 2900 series of standards is three related documents titled Software Cybersecurity for Network-Connectable Products. UL describes its 2900 series as a testing framework for manufacturers to objectively demonstrate their compliance with FDA expectations for medical device cybersecurity. It provides repeatable, reproducible, testing-oriented criteria to assess a device’s cyber vulnerabilities, fight malware, and test the security measures. From a product testing perspective, UL 2900 requires all interfaces of the product and its communication channels be defined, and that security risk controls be applied in a manner consistent with product risk management principles (including those in TIR57).
DTSec
In 2016, Diabetes Technology Society (DTS) completed the first broad consensus cybersecurity standard with performance requirements for any medical device. Named DTSec (DTS Cybersecurity Standard for Connected Diabetes Devices), the standard contains both performance requirements and assurance requirements. The goal of DTSec is to raise confidence in the security of network-connected medical devices through independent expert security evaluation. Although originally intended only for diabetes devices, DTSec can inherently be used in any medical product contributing to the protection of high value assets.
DTMoSt
DTMoSt takes the principles of DTSec and applies them specifically to the use of mobile phones to control actions by wearable or implantable diabetes devices. The involvement of mobile phones requires special considerations because of the need for resource availability. Stakeholders affected by connected medical devices will increasingly demand assurance of safe cybersecurity from healthcare professionals who are prescribing and overseeing use of these products.
IEC/TR 80001-2-2
Application of risk management for IT networks incorporating medical devices. Guidance for the communication of medical device security needs, risks and controls (IEC 2011) are a technical report which sets out to promote the communication of security controls, needs and risks of medical devices to be incorporated into IT networks between MDMs, IT vendors and HDOs. This is the only guidance available that specifically addresses security requirements for networked medical devices.
IEC 62443-3-3
Because medical devices are becoming more interconnected, the FDA has recognised the IEC 62443 family of standards as foundational standards for medical device cyber security. These are a very comprehensive set of twelve standards initially developed by the ISA99 committee but have since been adopted by the International Electronic Committee (IEC). The standards cover every aspect of the security life cycle for systems used in Industrial Automation and Control Systems (IACS). Medical devices are now being considered as the equivalent to IACS due to the fact that medical devices are now controlling the human body in some cases (Goodenough, Weinstock et al. 2012).
Resources
HSE cyber attack and how it may affect you
HSE cyber-attack: Irish health service still recovering months after hack
Assessing the impact of the NHS WannaCry attack three years on
HSE ransomware attack began on a single computer when an employee clicked on a link
AAMI TIR57: principles for medical device security—risk management
New standard for software cybersecurity for network-connectable products
Diabetes Technology Society . DTS cybersecurity standard for connected diabetes devices.