Storm Offers Disaster Planning LessonsCross-Training Staff an Essential Step
Organizations recovering from a natural disaster need to consider the various cyber-risks that can affect them, says Deborah Kobza, CEO of the Health Information Sharing and Analysis Center.
"As power comes back on and computers and systems come back up, are [organizations] seeing any activity out on their network that might be malware or a cyberattack?" she asks in an interview with HealthcareInfoSecurity [transcript below].
To prepare for such threats, organizations should reach out to the National Health ISAC to ensure they have their finger on the pulse of any threats or vulnerabilities that are out there, Kobza explains. "If all the ISACs can get that information out to their members, we turn from being in a reactive cybersecurity stance to a proactive stance," she says.
The National Health ISAC has two initiatives under way to further assist organizations. One is a cyber first-responder program, similar to physical first-responders on the scene of a disaster, Kobza notes. "Cyber first-responders will receive annual training and certifications so they know what to do in the event of a disaster," she explains.
Another resource that will soon be available is a nationwide instant communications system, Kobza says. "In the event that the National Health ISAC needs to send out instant communications nationwide to hospitals and healthcare organizations, we can do that with the flip of a switch, before all those systems go down," she says.
"We'll be much better prepared with this National Cybersecurity Response System, but we really have to work collaboratively because what you might miss individually we see together collaboratively," Kobza emphasizes.
In the interview, Kobza also discusses :
- Technology resources organizations needed following Hurricane Sandy;
- Business continuity and disaster recovery struggles;
- Lessons learned for healthcare organizations.
Kobza heads the National Health Information Sharing & Analysis Center based at the Global Situational Awareness Center at Kennedy Space Center. She is certified in the Governance of Enterprise Information Technology and National Information Exchange (U.S. Department of Justice). She has more than 30 years of experience in risk-based enterprise technology, security, information assurance, data governance, research and workforce education for government, academia and healthcare organizations. She also serves as president of the Global Institute for Cybersecurity + Research, or GICSR.
The National Health Information Sharing and Analysis Center is one of the nation's 18 ISACs that are supporting national critical infrastructure protection.
MARIANNE KOLBASUK MCGEE: Tell us a bit about your organization and your role.
DEBORAH KOBZA: The National Health Information Sharing and Analysis Center is one of the nation's 18 ISACs that are supporting national critical infrastructure protection. After 9/11, 18 national critical infrastructures were identified for physical and cybersecurity protection, and there's a federal agency that's responsible for each one of the critical infrastructures, writing a protection plan. Along with that, there's an associated private sector- led ISAC that's recognized by the federal government and their respective sector to support being that operational arm reaching out and working with critical infrastructure owner-operators for protection. A lot of people don't realize that over 85 percent of our nation's critical infrastructures are owned by the private sector.
National Healthcare and Public Health Cyber Response System
MCGEE: In the hours following the hurricane, National Health ISAC activated the National Healthcare and Public Health Cyber Response System. Tell us a bit about what that is and how that's helping in the recovery efforts?
KOBZA: What the National Cybersecurity Response System is focused on is being a compliment or providing assistance to emergency operation protocols and procedures that are already in place. It's not duplicating or taking place of any preparedness or response protocols and activities that are taking place, but really helping to be additional boots on the ground that are reaching out to individuals within the health sector. [That includes] individual hospitals and healthcare organizations, pharmaceutical and medical device companies to determine if they have any unmet needs and more specifically to talk about - as power comes back on and computers and systems come back up - are they seeing any activity out on their network that might be malware or a cyber attack. That's when we're most vulnerable, when those systems start to come back up, and an attacker could send a piece of malware or attack it or a number of things that could embed themselves on a network in order to act later. We try to remind people to be mindful of not bypassing security protocols as you're bringing your systems and networks back up, and just reach out to them and provide them with resources, best practices and information however they need it.
MCGEE: For healthcare organizations that were impacted by Hurricane Sandy, what kinds of technology resources did they need in the hours and the days following the storm, and what are they still in need of?
KOBZA: The biggest need was definitely fuel and generators. All of the ISACs were participating in numerous conference calls with the Department of Homeland Security, FEMA and other federal agencies and all of the ISACs tracking what was needed as far as response for the storm on a 24/7 basis. A lot of the needs of course were from power outages, from transportation not being able to get through. If they did have generators, you saw on the news the critical need for getting fuel. One of the major pipelines there, Colonial Pipeline, was shut down for quite a while and tankers couldn't get into the ports. And it's still serious in several places, trying to get power up and going.
Some of the things that we heard back from the health sector were that in their disaster recovery plans, when people are working from home, they haven't made some of the appropriate plans because everyone is not necessarily going to have access to the Internet to be able to work. They're going to be without power as well. So as power was coming back on, getting people to come into work was still an issue because they're at their homes with no power and possibly no transportation. If they have children that can't go to school, they can't leave the children at home. There have been quite a number of issues that are in place, but as far as the technology part of what critical infrastructure owners and operators needed, it was making sure that those systems and networks came back up. I'm sure everyone knows with the implementation of the HITECH Act and electronic health records all being online and accessible, that all goes away, so all the hospitals and healthcare organizations have to have back-up plans if they cannot get to those electronic health or medical records.
Business Continuity, Disaster Recovery Struggles
MCGEE: What are the biggest business continuity and disaster recovery struggles that healthcare organizations experienced in the hurricane? How did they differ among hospitals versus doctor groups and clinics, device companies, pharmaceutical companies? Were there different needs?
KOBZA: When you look at pharmaceutical, medical-device companies and those organizations that support the health sector, [which] covers manufacturing, providing services, ambulances, transportation, it's difficult to be able to provide those services if you're without power. The pharmaceutical companies and the drug supply were never in danger. That was working really great as far as being able to get the pharmaceuticals and the medical devices that are out there. The one thing regarding medical devices that concern comes into place is wireless medical devices that depend on the Internet. Say, for example, if someone has an embedded pacemaker or an insulin pump that's managed wirelessly by a doctor to adjust the insulin or how a pacemaker works within a person's body, not being able to have that functionality and that technology in place to make that adjustment, or for those patients that need battery power or to be able to recharge, not to be able to have that is very, very critical.
MCGEE: What did those patients do?
KOBZA: They had communications that were going out, and a lot of facilities where people were going to stay at, the shelters, there were charging facilities that were available. Word like that needs to get out and people need to be better prepared. We hope nothing like this ever happens again but we know we will continue to have storms, tornadoes, earthquakes and hurricanes, but we need to make sure that ... people know where those facilities are and where those people are so we know how to get to them to [bring] them to those facilities if they can't get to them themselves.
MCGEE: You mentioned earlier that organizations need to keep cybersecurity in mind as they bring their operations back to normal. Are there any resources related to cybersecurity that these organizations are reaching out for, and how can you help them?
KOBZA: One of the resources that they need to reach out to is the National Health ISAC to make sure that they have their finger on the pulse of any threats or vulnerabilities that are out there, so they know what counter measures to put into place. We need to be able to help protect each other. Let's say, for example, a healthcare organization, hospital or even a bank or an organization in the water sector has a cyber attack. If all the ISACs can get that information and get that information out to their members, we turn from being in a reactive cybersecurity stance to a proactive stance.
Another one of the resources that we're right now in the process of implementing with the National Cybersecurity Response System for healthcare is for every hospital and healthcare organization and organizations supporting the health sector, we're identifying two to three cyber first-responders. Just like you have physical first responders in the events of a hurricane or tornado, cyber first-responders will receive annual training and certifications so they know what to do in the event of a disaster - whether it be physical or cyber - what to do within their own organization, how to work within the health sector and how to work across other critical infrastructures.
Another resource that will be in place by the first of the year is a nationwide instant communications system. In the event that the National Health ISAC needs to send out instant communications nationwide to hospitals and healthcare organizations, we can do that with the flip of a switch, whether it's via e-mail, via text, or on a cell phone, before all those systems go down. We'll be much better prepared with this National Cybersecurity Response System, but we really have to work collaboratively because what you might miss individually we see together collaboratively.
Hurricane Sandy: Lessons Learned
MCGEE: What are the most important disaster planning and recovery lessons that have been learned from Hurricane Sandy so far that you think will be helpful to healthcare organizations when preparing for crisis in the future?
KOBZA: There are really great plans and protocols in place from a federal, state, city and local level. I can't tell you how impressed I was sitting on a lot of those conference calls listening to the activities and the coordination, not just on the regional level there in the northeast, but really reaching out on a national basis with other companies, organizations and the public sector to help support those organizations impacted up in the northeast. The lessons I think that we can learn from disaster preparedness and planning is to have more back-up plans. If one plan doesn't work, you need to have another one go into place. If you have a workforce shortage, you need to make sure that the workforce that you have is cross-trained, so the ones that are on-site know what to do for those that can't get into work.
One of the things that we also need to be able to do is to help each other. Just like we do on the physical side, coming in and helping with facilities, saving lives and providing support, food and shelter, from a cybersecurity perspective we're working on having a national technology resource pool. So when you do have to have folks that can come in and help you with technology and building those infrastructures back again that have been destroyed, we can all work together under mutual aid agreements and come together as a nation to help support each other.