CHIME Announces Incoming Board Members and 2025-2026 Board Officers. Learn More

cybersecurity image 2

Let’s Talk About Resilience

Date

Tue, Oct 8, 2024, 05:00 AM

It’s time to broaden our cyber protection strategy. We need new strategies and tactics to strengthen healthcare organization’s critical systems and IT infrastructures and defend the healthcare sector against increasingly sophisticated and well-resourced adversaries.


One key strategy can be “Engineering-In” Cyber Resiliency.


REFERENCE: NIST SP 800-160, Volume 2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach”


Healthcare organizations are prime targets for cyberattacks due to the vast amounts of personal health information they manage and the patient care services they provide. They can also be susceptible to fraud and financial crimes. Ransomware attacks, data breaches, APTs and phishing schemes can disrupt healthcare services, compromise patient safety and privacy, and lead to financial losses. Cyber resiliency involves not only protecting against these threats but also ensuring that IT systems can recover quickly and effectively, with minimal impact on business operations.


Focus on All Threats


The cyber resiliency challenge is informed by an understanding of the entire threat landscape. A good example that is explored by NIST is the advanced persistent threat (APT). The objective of adversaries with APTs include establishing and extending footholds within systems for the purposes of:


  • exfiltrating information
  • undermining or impeding critical aspects of a mission, program, or organization
  • espionage, business interruption and influence campaigns
  • positioning itself to carry out these objectives in the future.


The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives NIST SP 800-39. A cyber resilient approach must also persist in defending IT systems and should consider:


  • the resources associated with the APT, its stealthy nature, its persistent focus on the target of interest, and
  • its ability to adapt in the face of defender actions, making it a highly dangerous threat.


Consider Defensive Architectural Approaches - “Engineering-In” Resiliency


Critical considerations for our defensive efforts include managing cyber risk and ensuring resilient systems. Cyber resiliency in healthcare IT involves not just protecting against cyberattacks but ensuring that systems can recover swiftly and normally when attacks occur. There is a dual focus on preventive controls and ensuring full recovery.


But there is more we can do. Traditional security controls, such as firewalls, endpoint protection, encryption and other measures are essential but insufficient on their own. A cyber-resilient approach integrates robust data protection strategies, regular backups, redundant functionality and comprehensive incident response plans involving all teams and management levels. These elements work together to mitigate damage and restore operations with minimal disruption.

Still, we still may see this as motherhood and apple pie and we may focus too narrowly on certain well known resiliency approaches, such as Segmentation, Redundancy, Backup and Restore. NIST discusses a Systems Engineering Approach to Cyber Resiliency and what we can do to incorporate this approach into our arsenal of defensive strategies.


To whet your appetite, consider these architectural design-based resiliency techniques defined in the NIST Cyber Resiliency Guidance:


!Click here to see graphic

Source : NIST SP-800-160, Vol 2.


Many of these techniques are familiar to us (such as Network Segmentation, Redundancy, Backup and Restore), but many are under-considered, and we may not have seen such a useful categorization of techniques. Unpredictability, Deception and Diversity and others, as suggested by NIST, are among the some of the many, perhaps underutilized, architectural approaches.


Cyber Resiliency in the System Development Lifecycle


NIST also describes general considerations for applying cyber resiliency concepts and framework constructs to the System Life Cycle Development (SDLC) stages and processes. Cyber resiliency constructs are interpreted and cyber resiliency engineering practices are applied in different ways depending on the system life cycle stages [ISO 15388]: Concept, Development, Production, Utilization, Support and Retirement.


Importantly, the NIST document maps Cyber Resiliency Constructs into the SDLC stages.


Take-Aways


All discussions of cyber resiliency focus on assuring mission or business functions and should consider the assumption that the adversary will breach defenses and establish a long-term presence in organizational systems. Organizations can include cyber resiliency approaches can be integrated into their SDLC processes. And it goes without saying that a “cyber-resilient system” is a system that provides a degree of cyber resiliency commensurate with the system or/business process’s criticality.


Some takeaways from the NIST document:


  • We must understand that Resiliency is an Engineering Discipline. (Other examples of engineering disciplines include security, reliability, survivability, and safety.)
  • For system/cyber resiliency, IT and cyber protection architectural considerations are key. Cyber resiliency will have us considering additional, new defensive architectural approaches.
  • Organizations can and should include cyber resiliency approaches can be integrated into their SDLC processes.
  • We have some important, often overlooked guidance and engineering approaches to this challenge:


The draft update to NIST SP 800-160, Volume 2, “Developing Cyber-Resilient Systems: A Systems Security Engineering Approach,” turns the traditional perimeter defense strategy on its head and moves organizations toward a cyber resiliency strategy that facilitates defending systems from the inside out instead of from the outside in. This guidance helps organizations anticipate, withstand, recover from, and adapt to a variety of adverse conditions, stresses, or compromises on systems


I encourage you all to continue to learn about these approaches by accessing the following resources:



More to come on this soon!



Recommended for you