Cyber COVID-19 – You’re up next
We’ve all been through a lot lately. If you’re like me, part of you is anxiously asking yourself what’s next, the other part is wishing/praying for peace and a return to normalcy. Well our good friends at the World Economic Forum (WEF) recently published a report detailing a scenario so dire we cannot afford to ignore it. Here are the key points.
WEF hypothesizes that a COVID-19 style cyberattack, or an attack with a similar contagious profile, would be devastating to the world economy. In other words, a global cyberattack designed to spread rapidly, say, through a social media app or other common applications, would cripple the world economy for months. The origins of the attack would be a zero-day threat, or one that lies in wait while it quietly spreads until at a given time it launches its attack globally. The only defense for many would be to disconnect their devices from the internet. Any connected machines could harbor the virus, allowing it to once again propagate as cleaned devices rejoin the internet. Netblocks.org estimates the global cost of such an event would be $51 billion a day. In just over 20 days, the total would be $1 trillion. Catastrophic indeed.
Four points to consider
First, we have witnessed in various attacks all of the technology necessary to execute such an attack – zero-day proliferation, millions of impacted devices across all platforms, attacks capable of wiping data and destroying devices. Add a malicious nation-state with unlimited funds, and you have the formula to make such attacks inevitable.
Point number two. We recently purchased hardware from Dell for clients. We’re told each time the delivery date could take months as they wait on components from China. In 2018 China produced 90% of the mobile phones, 90% of the computers, and 70% of the televisions. Of the other devices, most contain components made in China. The message here is simple. We MUST make manufacturing of these components in the US or in North America mandatory. We WILL NOT survive an attack like this if we cannot replace destroyed devices natively. We all watched as American industry rallied to produce ventilators. Building computer chips is not so simple. It requires clean rooms, sophisticated machines we don’t even manufacture, and more. Solving this problem is a decades long endeavor that we must embark upon with a sense of urgency.
Third, you play a roll in this. Keeping your own cyber-house clean is imperative. Practicing proper cyber-hygiene at home and at work is as critical as washing your hands and not touching your face.
Fourth, we need to re-think what we’re doing with disaster recovery for our businesses. You need to be prepared to run completely offline, including potentially without power. If your contingency plan involves you continuing to see patients, here’s what you need to consider. If you are using a cloud-based EHR, Office 365, or Google Docs, you better be backing them up. If Google or Microsoft get taken down, and you don’t have backed up copies of your information, you’re out of business until they restore you, and the time it may take for them to replace destroyed hardware could take weeks or months. Then comes the issue of power. In all likelihood, such an attack would include targeting our infrastructure, our electronics grid. If your plan is to render care or otherwise keep the lights on, you need to prepare for that. Being prepared includes a business disaster recovery device (BDR). While you may lose access to your web-based EHR, your BDR could keep all of your other data available. Even if your BDR is in a datacenter, like ours, you can have a drive (encrypted of course) shipped to you with all of your critical data for local access,. If internet access is restored, you’ll have access to your data at our datacenter because our DC has redundant power generation and can run in isolation of the power grid if needed. The point is this – you need to prepare for the eventuality of such a scenario. If you’re a healthcare organization planning to provide care, you owe it to your community to address this sooner rather than later.
No one likes to think about worst-case scenarios, but being unprepared when such a scenario hits is far worse.
I encourage you to remain optimistic about the future. There are better days just around the corner. Go out and enjoy the sunshine.
If you have any questions or if you are concerned about your organization’s cybersecurity, give us a call at (800) 970-0402. We’ll be happy to help.
For more HIPAA information, download our ebook – The Ultimate HIPAA Compliance Handbook.
The HIPAA Security Rule requires the implementation of a security awareness and training program for all members of its workforce (including management). Have your team sign up for weekly HIPAA Security Reminder to help stay compliant.