Strategy or tactic: A cybersecurity decision in a landscape full of vulnerabilities

PIC1 Strategy or tactic: A cybersecurity decision in a landscape full of vulnerabilities
Ing. Susan Villaquiral
Coordinator of Networks and Computer Security, Subdirectorate General of Information and Communications Technologies, Valle del Lili Foundation

When we compare the maturity of cybersecurity strategies in healthcare to other fields like banking, there is a huge gap. All sort of things like law regulations, known attacks, loose of reputation and money, have made the banking vertical to be more related and organized around cybersecurity strategies.

But in healthcare losing money and reputation or having a breach of personal data, aren’t the only concerns, the integrity and availability of the patient’s data can mean a patient’s life. Latest researches like the malware produced in Israel that can add or delete cancer marks in a CT scan, creates a new sense of vulnerability that was thought only in terms of machines and operating systems, not in the right or wrong diagnostic of a patient.

With all those risks in mind, the question is: How to define a strategy while the daily operations, recent attacks, new vulnerabilities, push for a tactic to be applied in order to mitigate the risks? That’s when a bimodal concept makes sense: You must do both things at the same time.

So, there’s a few steps to follow as a start point for those who are lost in defining an approach:

  1. Have an inventory of all your devices. The reason is simply: you cannot protect what you don’t know that you have. A key aspect is to include all the devices, and by all, it means that you must include even the medical devices or other type of devices, did you know that even the autoclave machines (sterilization of surgical instruments) are connected to your network?
  2. Automatized the inventory, just for a simple reason, if you have only 100 devices is easy to do this in a file, but when you have thousands deployed in several sites or in big campus, it’s impossible to do it manual. A tool with an agent can help to keep your inventory updated.
  3. Patch management as a policy and a procedure is a basic rule that can help you with known vulnerabilities. But ¿What if you have a medical device that cannot be patched? The micro segmentation and profiling of those devices can help you to isolate the vulnerability or to isolate the threat if the device is already compromised.
  4. Protect your email service. Considering that the email is the number one vector of attack, it makes sense to protect this service not only from spam but from phishing that can bring malicious content that becomes a ransomware, data breach or virus infection.
  5. Stablish an Identity and Access Governance that covers the appropriate definition and assignation of permissions and roles for a user according to his/her role in the organization, the audit of those permissions, the segregation of duty to prevent fraud in core processes and cover the entire lifecycle of the identity.
  6. Design and test a cybersecurity incident response playbook, not only for the cybersecurity team but for the end user. That’s how you can prepare all the stakeholders in the organization on how to act in case a cybersecurity incident occurs.
  7. Choose a Cybersecurity Framework, just one, just pick one. Avoid navigate between frameworks, try to find just one and stick with it. This is going to allow you to establish a pathway based on a best practice and remember that you are running against the clock to protect your organization.
  8. Policies and procedures should be defined while you apply each one of the steps, because that’s the only way that you can assure that all the tools are used properly, and the users understand and comply the policies defined by the organization.

So, with all that in mind and being aware that there is no recipe to follow, where is the strategy? Well, the strategy is the sum of all the tactics described above, and the tactics that you consider relevant to the organization and their current situation, always inside the context of the framework that becomes the knowledge base that allows you to develop new tactics that make a more mature Cybersecurity strategy.