Our friend Justin Snair had a great article in Domestic Preparedness magazine earlier this year in which he outlined why all of us in public health need to improve the quality of our cybersecurity defense. And since October is Cybersecurity month in the U.S. we wanted to provide a closer look into why it’s so important to protect your departments and yourselves against those who would hack our systems.
“Cyberattacks can threaten lives and result in losses of integrity, availability, confidentiality, and physical destruction of assets,” he wrote. They also erode the trust and confidence communities have in health departments and can introduce legal and other liabilities when breaches of protected patient health information occur.
He pointed out that reports of cybercriminals attacking entire local and county government systems have become more common in the past year, including a cyberattack in Dallas that managed to set off all 156 emergency alarms in the city, a ransomware attack in Mecklenburg County, N.C., that slowed the county government to a crawl, and another in Atlanta, that disabled critical systems.
Those and other cases of attacks on public health departments make it clear that the potential of cyberattacks should be part of our all-hazard planning, beginning with the following questions:
- What is the role of an LHD in cybersecurity incidents?
- What are the most critical systems at risk of compromising public health in the event of a cyberattack?
- If a cybersecurity incident occurred, could LHD operations continue?
- Does the community have contingency plans in place for a cyberattack?
- Who at the state and federal levels of government should be contacted regarding a cyberattack?
- Would a cyberattack trigger the activation of the emergency response plan?
- Who is identified as the community lead in such an event?
- Does the community emergency operations plan include an air-gapped network and equipment (i.e., a physically isolated secure computer network)?
- Will a county or local community pay in the event of ransomware? If not, is it prepared for consequential data loss and privacy breaches?
- When should the public be notified and what information should be shared about cyber incidents?
The roughly 2,750 local health departments across the nation are responsible for a wide range of crucial services to their communities, including food safety, vaccinations, epidemiological surveillance, disaster preparedness planning, emergency response, laboratory testing and many others. Imagine if some or all of those services were suddenly unavailable because of an attack.
If you are feeling left behind, here are some resources that you might find useful:
- The Cadmus Group has published several cyber-related articles, such as When Pandemic Management Meets Cybersecurityand Embrace the Cyber Security-Physical Security Nexus, which help raise awareness about cyberthreats to public health departments and governments.
- The American Public Health Association published Public Health Increasingly Facing Cybersecurity Threats: Health field a top target for attacks, presenting some of the risks encountered with a public health cyberattack.
- Cyber Georgia 2017, an annual convening of industry, academia, and government to examine cyberthreats presented the panel discussion Cybersecurity and Public Health, Emergency Preparedness and Response, which examined hospital and public health department preparedness for emergencies and simultaneous denial of service attacks.
- Snair’s company, SGNL Solutionsand LAR Consulting developed the Local Public Health Department Discussion Guide for Cybersecurity and are tested the prototype with public health professionals during a workshop at the 2018 Preparedness Summit earlier this year. They are awaiting funding to roll out the discussion guide.
Bio-Defense Network has relationships with both SGNL and LAR consulting and would be pleased to help you think through your cyber planning. It’s never too soon to prepare for a cyberattack, and no one wants to be too late.