On doctors’ orders, Israel plans a health care CERT
TEL AVIV—If you listen to doctors who faced the WannaCry ransomware attack on the front lines of emergency rooms across England last year, it’s a minor miracle that the inadequate care it caused didn’t result in any patient deaths.
Israel has chosen to heed their warning by creating a health care cyber emergency response yeam, or CERT, to lay out how administrators and doctors should respond to the next destructive cyberattack.
CERTs, also known as computer security incident response teams, or CSIRTs, are groups of experts who are empowered to make decisions about how to plan for a computer crisis, and then take action during crises.
READ MORE ON MEDICAL SECURITY
WannaCry vs. the ER doc: On the front lines of a ransomware outbreak
Yes, your life-saving medical devices can be hacked
Critical systems at heart of WannaCry’s impact
Time for a Department of the Internet of Things?
Hackers call for federal funding, regulation of software security
Living on the edge of heartbreak: Researcher hacks her own pacemaker
“A CERT is like FEMA for cyber,” says Beau Woods, a cybersafety fellow at the Atlantic Council policy think tank. “An emergency or disaster happens, and you’re helping to repair it. You’re providing some of the same types of capacities as rolling in water trucks.”
If implemented, Israel’s would be the fourth health care CERT run by a national government, following those of the Netherlands, England, and Norway, says Ophir Zilbiger, partner and head of the Secoz Cybersecurity Center at the Tel Aviv branch of business consulting firm Binder Dijker Otte.
CERTs establish protocols during cybersecurity emergencies, Zilbiger, whose arm of BDO specializes in CERT development for public and private organizations, tells The Parallax. And establishing protocols for health care requires evaluating Internet-connected medical programs’ “unique” needs—and how they impact “human life.”
“We’re looking at how to ensure the resilience of the whole health sector,” he says. “Which are the critical components of the health sector in an hour of need?”
The United States developed the first CERT in the aftermath of 1988’s Morris computer worm, which slowed computers down around the world to the point of being unusable.
Today, most technologically advanced countries and some large private businesses have at least one CERT as a broad catchall to manage cybersecurity crisis incidents, from widespread ransomware infections to targeted attacks against power plants or transportation systems. CERTs can respond to incidents involving email, phones, websites, and connected devices, and they’ve been credited with reducing the ultimate harm large-scale computer security incidents are expected to cause.
According to a 2017 study, a CERT’s performance in responding to an immediate threat largely depends on how well the team communicates. And in part because CERTs specializing in fields like industrial-control systems or health care are designed to communicate more effectively than catchall CERTs, many countries today are establishing them.
“We’re looking at how to ensure the resilience of the whole health sector.”—Ophir Zilbiger, partner and head, Secoz Cybersecurity Center, Binder Dijker Otte
A CERT specializing in health care can also help address how to secure the exploding market for Internet-connected medical devices. BDO recommends that health care organizations keep Internet-connected devices away from the broader Internet, Zilbiger says, essentially creating a “medical-device firewall.”
“What we’re looking at are ways to segregate these medical devices from the general-purpose network as part of the methodology,” he says, “then deploying innovative technologies, such as those from some of the cybersecurity startups that specialize in securing medical devices.” Such a policy would mimic “the way that other companies secure a network from the Internet.”
It remains far from clear how popular health care CERTs will become. In the United States, the Health Care Industry Cybersecurity Task Force last year proposed establishing one called MedCERT. The Food and Drug Administration, meanwhile, is pursuing the development of a CyberMed Safety (Expert) Analysis Board, or CYMSAB, “a public-private partnership that would complement existing device vulnerability coordination and response mechanisms, and serve as a resource for device makers and [the] FDA,” as part of the its Medical Device Safety Action Plan, an FDA representative told The Parallax in an emailed statement.
“The CYMSAB would complement already-existing coordination and response mechanisms, such as those leveraged by DHS’ NCCIC [National Cybersecurity and Communications Integration Center] and the FDA’s Center for Devices and Radiological Health, without being duplicative,” according to the statement. “The FDA recognizes that the difficulty in getting to ‘ground truth’ results in a protracted disclosure time frame, delaying the ability of stakeholders to deploy mitigations and complete remediations, leaving patients at risk.”
Woods cautions that the CYMSAB may leave out the perspectives and experience of the doctors and other medical professionals who are working in clinics and hospitals.
“If you’re a doctor, you may be aware of [a] protocol that may be different or better” than what’s recommended by a plan focused on device security,” he says. Given “how vulnerable and exposed health care is right now, and the high dependence on less dependable technologies, there’s probably more of a need for a CERT in health care than other sectors.”