CYBERSECURITY
If a patient has an internal, con- nected medical device that he or she doesn’t want to use, but the patient’s doctor decides to turn it on, “who’s then controlling the device?” she asked.
In other words, should end users be able to make decisions about compli- ance, whether they apply to vaccina- tions or firewalls?
“I think the actual context for public health as a cybersecurity problem has become a real one,” Lawler said.
THE DNA OF CYBERTHREATS
Government security managers say the relationship between health care and security is revealing new ways of thinking about meeting the challenges of both disciplines.
“If we dig into malware and look at its ancestry or its history or the chromosomes and DNA that make it up, we learn about what are the other types of damage it can do, how does this thing behave,” Phyllis Schneck, former deputy undersecretary for cy- bersecurity and communications at the Department of Homeland Security, told the ISMG Security Report.
“We are going from a typical in- trusion-detection scenario where you need to have a vaccine” to automated, self-healing networks that can recog- nize when “something is probably bad and study it or attack it on their own,” Schneck added.
In Lawler’s opinion, containing se- curity threats requires the same strat- egies needed to contain an outbreak of disease.
When scientists are trying to con- tain a disease, they must first identify where the outbreak started, how it’s spreading, how to treat the patients infected and how to stop its contin- ued movement. Those are the same questions cybersecurity experts must answer about breaches and how to
“We are going from a typical intrusion-detection scenario where you need to have a vaccine \[to automated, self-healing networks that can recognize when\] something is probably bad and study it or attack it on their own.”
– PHYLLIS SCHNECK, FORMER DEPUTY UNDERSECRETARY FOR CYBERSECURITY AND COMMUNICATIONS, DHS
48 GCN MAY 2017 • GCN.COM
prevent further data loss.
Another shared tenet of the health
care and cybersecurity communities is the mission to influence end-user behavior.
Even the Federal Risk and Autho- rization Management Program (Fe- dRAMP), the government’s omnibus solution for cloud security, has epide- miological significance, said Lawler, who called it “an excellent example of trying to standardize a minimum set of requirements in order to be able to take on certain levels of sensitivity of data.”
As with other control systems, how- ever, success depends on the imple- mentation and consistency of the pro- gram, which can falter prematurely.
“You have this point in time where everything is static and perfect, and then entropy takes over after that,” she said. “I don’t know if FedRAMP uses the notion of checkups, but it’s never going to be as good as the first year you went through it.”
BEHAVIOR MODIFICATION
Lawler said she believes cybersecurity practitioners often get caught up in choices about perfect security versus security that’s good enough. “What we
end up with is disparities in systems,” she added.
“Some are extremely well protect- ed and guarded, and some systems are not — not because there are not enough resources put toward that, but because everything is now intercon- nected in this web, the exploits can quickly move from one point to an- other,” Lawler said.
Furthermore, “we really don’t use the same kind of behavior modifica- tion methods that public health typi- cally uses in improving cybersecurity,” Lawler said. “That’s another area in which certainly cybersecurity folks could learn from public health people, who’ve been able to make modifica- tions both through legislation but also education.”
Ultimately, she advocates investing in public resources to promote healthy cybersecurity practices and technolo- gies, much like the U.S. Public Health Service addresses acute events such as natural disasters and chronic events such as heart disease or smoking.
“I think we need something similar to set the bar for cybersecurity be- cause otherwise...free-market sources often push cybersecurity off to the end,” Lawler said. •