Although the thought of a large-scale cyber attack seems unlikely, according to experienced cybersecurity guru Richard Clarke, hospitals should be preparing for one. Clarke refers to “outlier events”, such as attacks on American infrastructure, electrical grids, nuclear plants and, to a lesser extent, hospital databases and medical devices. Clarke says that cybersecurity is all about risk management, and therefore needs to perceived through the filter of a risk management focus. In an article from Healthcare IT News, Clarke shares three tips to hospital executives to help them prepare for a large-scale cyberattack:
1. Focus on generators and fuel: This step involves figuring out where to place a generator, where you should store your oil and gas and ultimately ensuring that you can get more oil and gas after the first 24 hours of a cyberattack. When the tsunami hit Fukishima and sent water over the sea walls and engulfed generators, there was no way to cool the nuclear cores, triggering a meltdown. On 9-11, both the generator in the Center 7 tower was on the 10th floor, so when shards fell from towers 1 and 2, they ignited 7. Of course, the ideal location of the fuel and generators will vary from one site to the next.
2. Lock down medical devices: In day-to-day operations, hospitals need to make sure that medical devices are air-gapped and on a network that’s disconnected from any network that could be connected to the Internet. People often think a network is air-gapped when it actually isn’t. If you’re on a life-sustaining device, you don’t want it to be addressable, so this is particularly important with a hospital.
3. Protect Personal Privacy: Most hospitals have a rich database of information that people value. Beyond merely stealing data from a hospital lies the threat of destroying PHI, PII, intellectual property. While this hasn’t happened yet, it’s still possible, and could happen in healthcare, therefore it needs to be on the risk register.