Let’s Talk About Resilience
Date
Tue, Oct 8, 2024, 05:00 AM
CHIME Announces Incoming Board Members and 2025-2026 Board Officers. Learn More
Date
Tue, Oct 8, 2024, 05:00 AM
It’s time to broaden our cyber protection strategy. We need new strategies and tactics to strengthen healthcare organization’s critical systems and IT infrastructures and defend the healthcare sector against increasingly sophisticated and well-resourced adversaries.
One key strategy can be “Engineering-In” Cyber Resiliency.
REFERENCE: NIST SP 800-160, Volume 2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”
Healthcare organizations are prime targets for cyberattacks due to the vast amounts of personal health information they manage and the patient care services they provide. They can also be susceptible to fraud and financial crimes. Ransomware attacks, data breaches, APTs and phishing schemes can disrupt healthcare services, compromise patient safety and privacy, and lead to financial losses. Cyber resiliency involves not only protecting against these threats but also ensuring that IT systems can recover quickly and effectively, with minimal impact on business operations.
Focus on All Threats
The cyber resiliency challenge is informed by an understanding of the entire threat landscape. A good example that is explored by NIST is the advanced persistent threat (APT). The objective of adversaries with APTs include establishing and extending footholds within systems for the purposes of:
The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives NIST SP 800-39. A cyber resilient approach must also persist in defending IT systems and should consider:
Consider Defensive Architectural Approaches - “Engineering-In” Resiliency
Critical considerations for our defensive efforts include managing cyber risk and ensuring resilient systems. Cyber resiliency in healthcare IT involves not just protecting against cyberattacks but ensuring that systems can recover swiftly and normally when attacks occur. There is a dual focus on preventive controls and ensuring full recovery.
But there is more we can do. Traditional security controls, such as firewalls, endpoint protection, encryption and other measures are essential but insufficient on their own. A cyber-resilient approach integrates robust data protection strategies, regular backups, redundant functionality and comprehensive incident response plans involving all teams and management levels. These elements work together to mitigate damage and restore operations with minimal disruption.
Still, we still may see this as motherhood and apple pie and we may focus too narrowly on certain well known resiliency approaches, such as Segmentation, Redundancy, Backup and Restore. NIST discusses a Systems Engineering Approach to Cyber Resiliency and what we can do to incorporate this approach into our arsenal of defensive strategies.
To whet your appetite, consider these architectural design-based resiliency techniques defined in the NIST Cyber Resiliency Guidance:
Source : NIST SP-800-160, Vol 2.
Many of these techniques are familiar to us (such as Network Segmentation, Redundancy, Backup and Restore), but many are under-considered, and we may not have seen such a useful categorization of techniques. Unpredictability, Deception and Diversity and others, as suggested by NIST, are among the some of the many, perhaps underutilized, architectural approaches.
Cyber Resiliency in the System Development Lifecycle
NIST also describes general considerations for applying cyber resiliency concepts and framework constructs to the System Life Cycle Development (SDLC) stages and processes. Cyber resiliency constructs are interpreted and cyber resiliency engineering practices are applied in different ways depending on the system life cycle stages [ISO 15388]: Concept, Development, Production, Utilization, Support and Retirement.
Importantly, the NIST document maps Cyber Resiliency Constructs into the SDLC stages.
Take-Aways
All discussions of cyber resiliency focus on assuring mission or business functions and should consider the assumption that the adversary will breach defenses and establish a long-term presence in organizational systems. Organizations can include cyber resiliency approaches can be integrated into their SDLC processes. And it goes without saying that a “cyber-resilient system” is a system that provides a degree of cyber resiliency commensurate with the system or/business process’s criticality.
Some takeaways from the NIST document:
The draft update to NIST SP 800-160, Volume 2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” turns the traditional perimeter defense strategy on its head and moves organizations toward a cyber resiliency strategy that facilitates defending systems from the inside out instead of from the outside in. This guidance helps organizations anticipate, withstand, recover from, and adapt to a variety of adverse conditions, stresses, or compromises on systems
I encourage you all to continue to learn about these approaches by accessing the following resources:
More to come on this soon!