Australia’s CISC publishes risk assessment advisory for healthcare and medical sector
The Australian Cyber and Infrastructure Security Centre (CISC) released Tuesday the latest risk assessment advisory for critical infrastructure focused on the healthcare and medical sector. The document includes risk in the critical infrastructure context, the ability to determine the criticality of assets, interdependencies (upstream and downstream), understanding threats and hazards for risk, risk controls and mitigations, and offers a risk assessment methodology.
Stakeholders within Australia’s healthcare and medical sector must adapt their risk management strategies to ensure risks to the operation of assets critical to the nation’s economic and social well-being are being appropriately captured. The material has been designed to guide in assessing these types of risks to Australia’s critical infrastructure. “Through the provision of suggested risk assessment approaches, the material aims to assist sector stakeholders to adapt existing risk practices and help organizations understand risks within the broader national critical infrastructure context,” it added.
Growing digitalization and integration of medical devices in the healthcare and medical sector is increasing information and data sharing – as well as analytic efficiencies – but introduces new avenues for cyber attacks. The healthcare and medical sector also has access to highly sensitive personal information, including patient records and medical information, which is extremely attractive to cybercriminals, so critical infrastructure systems and assets must consider these risks and act to mitigate them appropriately.
The healthcare and medical sector is an upstream dependency of several other critical infrastructure sectors; as much as other sectors rely on its downstream services. An outage affecting a critical asset in the healthcare and medical sector could result in significant economic or societal implications, with effects including loss of life, reduced patient care, reputational damage, and financial and productivity loss.
In mid-May 2021, hospital computer systems and phone lines in New Zealand were affected by a ransomware attack. Some surgeries were postponed as a result and seriously ill cancer patients were flown to Australia for treatment. The ACSC Annual Cyber Threat Report – July 2019 to June 2020 identified healthcare as a leading target for cyber attacks in Australia, second only to the country’s government entities.
“Australia’s adversaries pose an increasingly sophisticated threat to our critical infrastructure and often look to exploit multiple vulnerabilities via multiple vectors in unison. Sector-wide convergence risks eventuate due to interdependencies within and across critical infrastructure sectors, as well as through other links, such as supply chain relationships” according to the document. “Furthermore, convergence risks could exist within organisation due in part to internal silos or lack of integration of risk management capabilities.”
The CISC document proposes adopting an all-hazards risk management approach as a strategy to combat convergence risks and ensure responses are comprehensive and integrated. “This requires collaboration between all stakeholders, including internal business units, sector and supply chain stakeholders, law enforcement, and emergency services. Organisations should leverage information from government stakeholders to appropriately consider appropriate threats and hazards.”
It also suggests adopting multidisciplinary approaches, collaboration, and integration is a good approach for inclusion in a critical infrastructure entity’s risk assessment.
For healthcare and medical sector critical infrastructure providers, determining which sites and components of an asset should be considered critical involves identification and analysis of how an asset and its operations may be exposed to, or harmed by, threats and/or hazards, the CISC document identified. “This process is vital for all hazards risk management, providing input into the identification of plausible risk scenarios that may impact operations. The critical sites and components of an asset are ultimately those most vital to its effective functioning and therefore integral to Australia’s national security interests.”
The CISC document said that establishing criticality is designed to guide the allocation of resources to best protect the operational capability of the asset. It also determined that identifying important trends and technology drivers and how they impact risk can be challenging; with trends interacting in unpredictable ways, with at times profound consequences.
The emerging trends include digital biomedical services being adopted to improve the speed at which medical research can be returned and the quality of medical guidance that can be provided to patients. Health outreach services are expanding to improve the healthcare and quality of life for Australians living outside major cities and suburban hubs, increasing the use of low-cost processing services such as transcription and radiology analysis. There are limited regulations or guidance for the use of these services, particularly those administered by overseas providers, and consumers of these services may not consider the security of the services they use.
Additionally, green health will gain momentum with the incorporation of environmentally friendly practices into healthcare delivery, providing benefits for citizens and the planet. It also included patients and clinicians that increasingly choose between digital and in-person contact (rise of telemedicine). Lastly, mental health becomes a priority, as many chronic conditions are primarily caused by behavior, leading to an increased focus on behavioral medicine.
The emerging trends identified include electronic Medical Records (eMR) replacing existing paper-based practices to improve accessibility and clinical responsiveness. Cancer research, treatment, and prevention capabilities are being refined providing continuous improvement in life-extending care, therapies and quality of life, and palliative care. It also covers treatment for transmissible diseases that are continually being developed, increasing the proliferation of consumer wearable devices that capture personal health information which is stored locally or in cloud-based services.
Growing integration of third-party medical devices for information, data sharing, and data analytics is another factor. It also takes into account the consideration of software as a medical device where software that controls or manages devices may introduce risk through misconfiguration, errors, or omissions in testing. Additionally, the growing integration of AI in healthcare is another factor.
The CISC document said that threats will increase and the healthcare and medical sector, driven by improvements in technology and the need to meet commercial outcomes, will become more interconnected, leaving stakeholders in the healthcare and medical sector needing to re-evaluate risks regularly. The healthcare and medical sector is especially susceptible to natural hazards and associated risks due to its support function in caring for persons affected by these hazards.
Due to interdependencies among different critical infrastructure sectors and assets, it is necessary to manage many risks collectively, the CISC document said. Many risks may be poorly addressed because their causes or effects are still misunderstood, they are novel, or there is a lack of guidance on how to address them. It also covers accountabilities for addressing some risks that may also be unclear. Some risks may be too rare to justify the allocation of resources to mitigate them. Finally, the consequences may be too large for any entity to address by itself.
For a given healthcare and medical sector asset, the disablement of its resources will cause downstream issues in other sectors that are potentially vast and more detrimental to other industries than the direct damages to the asset. Ongoing analysis of risks can lead to a better understanding of mitigation strategies, including their application at the source. Business continuity planning, consequence management, emergency management, disaster mitigation, vulnerability assessment, insurance, and other related disciplines all provide a variety of possible actions.
Once controls and mitigation options have been identified by an entity, these should be continually evaluated and prioritized, particularly as threats and vectors evolve.
The CISC document also calls for the development of an implementation plan for risk controls and mitigations. These include ease of implementation, cost-effectiveness, whether the action creates new risks and/or unintended consequences, environmental impacts, multi-objective actions, long-term and short-term results, effectiveness, direct and indirect benefits, legal, regulatory, social and moral obligations, efficiency, equity and acceptability, and timing and duration.
Last month, CISC released a risk assessment advisory for the food and grocery sector, as threat landscapes continue to evolve. It assesses that the international and domestic threat landscapes continue to evolve; natural hazards are becoming more prevalent with longer-lasting impacts, and critical infrastructure networks continue to be targeted globally by both state and criminal cyber actors.
Earlier in January, the agency released a risk assessment advisory for critical infrastructure across the energy sector. The document emphasizes the requirement for stakeholders to modify their risk management approaches to guarantee that risks associated with the operation of assets essential for the country’s economic and social prosperity are identified accurately.
Related
