Cybersecurity holds immense significance in today’s digital and technologically advanced era as information and technology are the backbone of society. This holds particularly true in public health, establishing the need for robust cybersecurity resilience within the field which is what every public health organization desires to attain. This article delves into what cybersecurity resilience means, the significance of cybersecurity resilience, the role of public health security culture, strategies to attain the holy grail of cybersecurity resilience for public health, and the seven dimensions for archiving a positive security culture.
What is Cybersecurity Resilience
The National Institute of Standards and Technology (NIST) defines it as “the ability to anticipate, withstand, recover from, and adapt to adverse conditions, stresses, attacks, or compromises on systems that use or are enabled by cyber resources.”
The Significance of Cybersecurity Resilience in Public Health
As time passes, the frequency of cyber risks has risen, with bad actors becoming more advanced in their techniques. The focus is now on establishments that handle sensitive data, such as public health and research organizations. The potential outcomes of a cyberattack on public health can be dire, including compromise of information such as patient data, leading to a lack of trust in healthcare providers and could disrupt smart medical services and treatments, which could potentially llead to loss of life.
According to Perry Carpenter ‘s (Chief Evangelist for KnowBe4 Inc) article with Forbes, Just as the immune system helps protect against harmful bacteria and viruses, organizations too need to build immunity to not only defend against external and internal threats but to train people and build the processes and technologies to respond, recover, learn and emerge stronger from cyberattacks, disruptions, leaks and data breaches.
It is of utmost importance to ensure a strong level of cybersecurity resilience to protect the public health infrastructure and ensure that health-related information remains confidential, integral, and available. Having these is crucial for every public health organization or establishment because being proactive is a vital element in achieving resilience. To attain cybersecurity resilience levels comparable to NCSC and NIST, one must establish appropriate infrastructure. The utilization of threat intelligence technology is exceedingly advantageous for all types of preventative risk mitigation and remediation.
The Role of Public Health Security Culture
The concept of public health security culture refers to the shared values, norms, attitudes, and social behaviors that influence an organization regarding cybersecurity. It involves instilling a collective sense of responsibility and awareness of cyber risks among all employees, from frontline healthcare workers to administrative staff. By cultivating a strong security culture, organizations can adopt a proactive and vigilant approach to cybersecurity that supports resilience and enables them to successfully prevent, detect, respond to, and recover from cyber threats.
Strategies for Attaining Cybersecurity Resilience Culture in Public Health
Viewing culture as a customary modus vivendi suggests that adopting these approaches should become a habitual practice among those involved in the area of public health. It needs to be a tenet – “Let this book of the law shall not depart from your mouth, but you shall meditate on it day and night, so you will be sure to obey everything written in it. Only then will you prosper and succeed in all you do”. The need for consistent and repeatable processes cannot be overemphasized. Only then will reduce your risk Here are some approaches to adopt for achieving a lifestyle that promotes cybersecurity resilience:
- Leadership Commitment: Establishing a culture that is resilient to cybersecurity threats requires unwavering dedication from leaders. To ensure cybersecurity resilience culture forms a crucial component of the organization’s operations, the senior management should give priority to it, lay out clear policies, and allocate adequate resources.
- Education and Training: Primarily focusing on human involvement, as they are intertwined with both the problem and solution in most cases. Therefore, while the IT/Security team bears a significant responsibility in safeguarding organizations, it is also imperative that non-IT staff are equipped with the necessary knowledge and training to efficiently utilize technology for precise diagnosis and treatment of patients. However, such individuals may require guidance on cyber threats and their implications. Implementing regular cybersecurity awareness programs, training sessions and simulated exercises can increase employees’ comprehension of cyber threats, appropriate security measures and how to react in the event of a security breach. Public health organizations should ensure their staff are always trained and retrained on Phishing awareness training.
- Continuous Risk Assessment: To ensure maximum security, it is crucial to constantly reassess and improve security strategies, perform penetration tests, and keep up-to-date with the latest threats and recommended procedures.
- Incident Response Planning: Creating a proficient strategy for addressing incidents is crucial to limit the influence of cyber-based events. It is imperative for organizations to set well-defined guidelines for monitoring and addressing cybersecurity breaches, including the roles and responsibilities of staff, communication channels, and recovery processes.
- Collaboration and Information Sharing: Public health organizations must promote cooperation and exchange of information with other healthcare entities, governmental bodies, and cybersecurity professionals. Improving collective resilience and tackling shared vulnerabilities within the sector can be achieved through sharing knowledge, experiences, and best practices.
- Regular Evaluation and Improvement of Security Policy: Continuous efforts are necessary to attain and maintain resilience in cybersecurity. By constantly evaluating the efficiency of security protocols, response to incidents and staff compliance, organizations can pinpoint areas that require enhancement and modify their tactics correspondingly. It is sometimes necessary to incorporate simulation exercises into the evaluation process, wherein CISOs or CIOs can replicate ransomware or other types of cyberattacks to gauge the organization’s risk level and measure how its members react to the situation.
- Make Security a Fun-filled activity: Typically, people tend to regard anything related to “training” with a certain degree of solemnity, especially when it comes to “security training” which is often considered tedious. When faced with the risk of being flagged by HR, employees often undergo training with a superficial “check-box approach”. To ensure a comprehensive security plan, involve the staff in policymaking, as this will instill a feeling of ownership and enhance their commitment. Also, grant direct communication between the IT or security team and the staff, and lastly, recognize and incentivize any achievements. Offer incentive-based security drills in which individuals who succeed are given rewards.
Seven Dimensions for Archiving a positive security Culture.
KnowBe4’s Chief Evangelist and Strategy Officer
While improving and protecting community health and well-being remains a priority, cybersecurity is not currently the primary focus of public health and healthcare professionals, who are primarily committed to saving lives and delivering high-quality care. However, ensuring strong resilience in cybersecurity is a crucial element of cultivating a culture that prioritizes public health security. Research shows that as security culture improves, organizations are less likely to fall victim to cyberattacks and employees have increased confidence in their organization’s ability to handle those threats.
By cultivating a sustainable, potent and persistent security culture, healthcare experts and public health institutions can effectively carry out their crucial responsibilities while significantly promoting their capacity to protect essential systems, secure confidential data, and mitigate the risks posed by cyber threats. Achieving strong cybersecurity resilience within the public health sector involves various crucial components, including devoted leadership, ongoing education and training, a thorough evaluation of potential risks, effective and practical strategies for responding to incidents, collaboration, and a dedication to continual assessment and enhancement. Attaining this holy grail would empower public health organizations to adeptly navigate the intricate cybersecurity terrain and safeguard the protection and welfare of the people and societies they cater to.