When faced with a health crisis such as a pandemic, the primary objective is ensuring the health and well being of the public and finding the fastest and easiest method to limit the spread of disease and take care of those who are sick. Cyberthreats can hinder public health efforts if mitigation steps are not taken and partners are not engaged before a pandemic or other public health crisis occurs.
An immense amount of resources is dedicated to a wide variety of challenges including epidemiological investigations, medical countermeasure dispensing, public communication and education, workforce training, and a myriad of other issues. However, one common aspect of all of these items that is overlooked is cybersecurity. Often, the cyberrisks involved in a massive healthcare or public health crisis are not considered. In these circumstances, the most vital data is often at risk – especially because people are not looking at a pandemic with the eyes of a cyberattacker.
Cyberthreats & Steps to Mitigate Them
Consider the types of information that are being used in times of crisis, how this information is being accessed and by whom. The need to surge staffing during emergencies can lead to the potential for unsecured systems or unsecured access points. Staff who may not have frequent experience with particular information technology (IT) systems may now require access. This combination can lead to potential vulnerabilities with personally identifiable information, electronic health records, or sensitive operational response systems. New users on a system during a period of heightened activity also leave users more susceptible to common types of vulnerabilities such as phishing attacks, due to the users’ lack of familiarity with the system, sensitive data handling procedures, and security protocols.
When looking at securing sensitive data within the healthcare and public health sectors, the focus is often on personally identifiable information and clinical patient data. These systems typically have strong pre-established security processes. Even in the midst of a disaster, care must be taken to ensure that security processes are followed and maintained. Large amounts of personal data are often readily accessible at multiple emergency locations, and the public is often carrying personal data to hand over to emergency workers in a less than private setting. These factors should be proactively addressed before setting up local operations and again while operations are ongoing.
In addition, emergency operations, logistical, and supply chain data may be readily accessed. Sensitive information – such as where vaccines are being produced, how, where, and when they are being shipped, and quantities of products that are at specific locations – may be subject to theft. The dangers in this situation come from many angles. In addition to potential global threats (including potential nation state actors), many attempts for access may be from local individuals looking to collect data in an attempt to better protect themselves or their families. Perceived shortages of pharmaceuticals or vaccines may cause bad actors to illicitly collect information on the whereabouts of existing supplies to ensure that they can obtain their allotment, through peaceful or less than peaceful means.
Within the healthcare space, bad actors – both internal and external to the organization – looking to exploit the crisis may use the surge in hospital patients and traffic to infect medical devices and hospital networks. As recently as 2017 with the “WannaCry” ransomware attack, hospitals have suffered significant impacts from cyberattacks.
Although concerns about bioterrorism always exist, there have been repeated instances of naturally occurring biological outbreaks, including the Zika and influenza viruses. Despite the ever-present threat, there are steps that can be taken to help mitigate the impacts of a cyber incident during a public health emergency. Local, tribal, state, territorial, and federal government agencies can take several basic steps to better prepare for the vulnerabilities that exist at this nexus between physical and cyber preparedness:
- Engage all partners;
- Evaluate and update plans; and
- Exercise plans.
Engage in an “opt-out” model versus the traditional “opt-in” model. Often when preparing for emergencies, planners invite organizations they believe have equities in what they are facing. However, this common approach has one significant flaw, it assumes that the individual bringing the groups together understands all aspects and nuances of the potential partners; something no one has the ability to know. For instance, during the recent Ebola outbreak, some jurisdictions did not engage their environmental departments to assist in waste management. The assumption was that, if healthcare facilities, public health, and transportation agencies were involved, all equities were covered. However, medical waste management is regulated at the state level, and engagement of state environmental departments was critical. An opportunity to “opt-out” would allow all pertinent agencies to engage earlier in the incident. This can potentially avoid challenges such as those related to hazardous materials handling and final waste dispositions that were encountered in the response. The next time an incident requires a complex multi-agency response, extend the initial invitations to all potential partners. Existing emergency plans should already identify agencies, departments, companies, offices, or business units that lead or support various types of responses, so do not spend time trying to decide who should or should not be involved in the initial conversations. Invite all identified partners and, if they do not identify any equities, let them “opt-out” of future efforts.
Plan, Evaluate & Update. Conduct thorough and meaningful reviews of existing emergency plans. Often, reviews are conducted to assess the adequacy of the existing plan against the current conditions, but, in order for plans to have an effective shelf life, it is important to review plans against current and potential future conditions. Organizations have a variety of tools to identify potential future threats, including existing hazard vulnerability analyses or the FEMA Threat and Hazard Identification and Risk Assessment program. Although there are many different models out there, the accuracy and confidence in the data entered into the model to drive the outcome are more important than which model is used. Once the reviews are conducted, ensure updates are practical and able to be operationalized. All staff members – including those who may be called to assist during a crisis – need to be trained on the updated plans.
Exercises. The plan is not final until the exercise is complete. Prior to that, the plan is still a concept. Exercises are often perceived as requiring extensive planning and expense; however, with a progressive exercise program, response components can be evaluated with minimal staff and operational impacts. Plans should be exercised with all key partners and need to be conducted in a method that allows areas for improvement to be addressed before subsequent, more complex exercises.
Significant progress has been made over the past two decades in preparation for public health emergencies and bioterrorist attacks but these preparedness efforts have often not factored into coordinated cyberattacks. However, cybersecurity challenges have grown at a pace far exceeding the challenges in the public health community. As cybersecurity vulnerabilities and attacks throughout the healthcare and public health sector continue to occur, careful and effective planning and preparedness can help mitigate the effects of these attacks, especially during large-scale public health crises. Engaging in ongoing and localized training and exercise programs and continuously updating emergency preparedness plans also help to mitigate the risks of cyber attacks during public health emergencies.
Nitin Natarajan is a principal at Cadmus and directs Cadmus’ support for public health and healthcare projects in the homeland security sector, helping organizations at all levels of government, nongovernmental organizations, nonprofits, and private sector organizations improve health security and preparedness in the face of complex and evolving challenges. He has more than 20 years of experience leading homeland security, emergency response, public health, healthcare, and environmental initiatives at the local, state, and federal levels. His professional career includes service as: deputy assistant administrator for the U.S. Environmental Protection Agency’s (EPA’s) Office of Land and Emergency Management; director of critical infrastructure policy on the National Security Council; and leader of the U.S. Department of Health and Human Services’ Critical Infrastructure Protection, Continuity of Operations, and Response Logistics Programs. He began his career as a first responder for 13 years, including service as a flight paramedic. He holds a bachelor’s degree from the State University of New York and a master’s degree from the United States Naval Postgraduate School, and he graduated from the Executive Education Program at Harvard University’s National Preparedness Leadership Initiative.