September 06, 2021
Warren Buffet observed that when the tide goes out, you can see who has been swimming naked. There are many examples in recent years of healthcare enterprises that have been unable to successfully protect against cyber threats, only for the tide to recede and reveal their lack of… anything much.
Hospitals have increasingly become targets, betting that executives will make swift payouts to restore lifesaving technology. As Covid-19 hospitalizations soared since 2020, there were more ransomware attacks in healthcare than any other industry.
Hospitals say cyberattacks are complicating their operations and hurting profits, adding to pressure on a $1.2 trillion sector that is under heavy strain from the COVID-19 pandemic. Universal Health Services Inc. said a malware attack in late September cost the hospital chain $67 million last year before taxes. Universal Health says revenue dropped as patients went elsewhere for care, and it incurred expenses to restore its operating systems. The attack on Universal Health Services and those at other hospitals last year involved ransomware, people familiar with the incident said, a malicious software that shuts users out of their own data. Hackers then demand payment to unlock it. During the attack at Universal Health last fall, the company shut down computer systems for medical records, laboratories, and pharmacies across 250 U.S. facilities, resulting in continued disruption for weeks.
At Sky Lakes Medical Center in Klamath Falls, Oregon, hackers struck in the last week of October. The hospital’s director of information services, John Gaede, received a phone call at 3:30 a.m learning of the attack. They raced to contain the malware and were able to halt the spread, but doctors and nurses were left without access to computerized medical records. Results from magnetic-resonance imaging and other scanning equipment that doctors use to diagnose diseases were also taken offline.
Nowhere is resilience on better display than in nature. Trees are designed to bend but not break under the weight of snow or high winds. Our bodies automatically clean our blood, renew our cells, and formulate a response when unwelcome viruses and bacteria try to take hold.
Nature is inherently designed for resilience— and we believe, it’s time for healthcare organizations to take a similar approach to security.
This requires a move from a posture of cybersecurity to one of Cyber Resilience.
Nature was designed with the recognition that things can and inevitably will go wrong. This is equally true of security incidents, as there is no question that they will occur. When we erect virtual walls aimed at thwarting every invasion, we are working to achieve the unattainable goal of cyber certainty.
The better approach? Architect systems and processes for Cyber Resilience. In other words, design the actual assets to be difficult to attack, to minimize impact and potential loss when an event happens, and to continuously deliver the intended capability—no matter what.