Life Safety Above All Else

Posted January 7, 2019 by Sayers 

Years ago, when I sat for my CISSP, I went into the exam carrying two bits of advice offered to me by a mentor:

#1.  In matters of security, choose the most conservative path.
#2.  Life safety above all else.

Critical infrastructure providers, and more specifically, the Healthcare and Public Health providers, have rightfully followed these bits of advice whenever possible.  

SUBSCRIBE TO SAYERS BLOG

However, in our effort to limit the potential impact on life-safety equipment, more often than not, we are forced to offer security consolations, merely trust the FDA guidance, and hope a given medical technology doesn’t provide some obscure vector into our protected environments – especially those environments purposed for patient care.

Fortunately, security solutions are evolving and adapting to provide security professionals deeper insight into these environments, and the full solution footprint, while simultaneously reducing the potential for impact against those same environments. The net result is we, security professionals, are quickly reaching a point where we can effectively build a security program around life-safety and patient care technologies.

But, how do we develop this strategy? Until now, there’s been a significant lack of comprehensive and consistent direction.  

In an effort to solve this ongoing challenge, the U.S. Department of Health & Human Services, partnering with industry, published voluntary guidance entitled: “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients”. This guidance provides insight into five major threats to this industry, including the related threats to life safety, along with a list of highly effective mitigation strategies to address those same threats.  

The 5 cybersecurity threats the HHS identifies that are impacting the HPH sector the most are:

1.  E-mail phishing attacks 

2.  Ransomware attacks 

3.  Loss or theft of equipment or data 

4.  Insider, accidental or intentional data loss 

5.  Attacks against connected medical devices that may affect patient safety

We welcome this resource to the cybersecurity community to help provide industry-specific actionable guidance, and this guidance significantly closes the knowledge gap on what it takes to lay the foundation for a strong cybersecurity strategy in the healthcare industry. 


As we work to build this foundation, leveraging the experience of other industry professionals, as provided in the publication mentioned above, becomes fundamental in maturing our own security strategies. Couple this with effectively leveraging our partners and providers, and we no longer have to offer the consolations we’ve had to offer in the past. The result being, we can effectively secure our healthcare environments while maintaining our keen focus on matters of life-safety and patient care.

SHARE YOUR THOUGHTS Additional Resources:

  • Resources and Templates: The Resources and Templates portion includes a variety of cybersecurity resources and templates for end users to reference

    Addresses

  • Atlanta
    675 Mansell Road, Suite 115
    Roswell, GA 30076
  • Boston
    25 Walpole Park South, Suite 12, Walpole, MA 02081
  • Rosemont
    10275 W. Higgins Road, Suite 470 Rosemont, IL 60018

 

  • Bloomington
    1701 E Empire St Ste 360-280 Bloomington, IL 61704
  • Chicago
    233 S Wacker Dr. Suite 9550 Chicago, IL 60606
  • Tampa
    380 Park Place, Suite 130, Clearwater, FL 33759

Have a Question?

Subscribe Contact us