Regulation of Medicine
Should You Worry About an Iranian Cyber Threat?
By Matthew Baker, Director of Information Security
January 14, 2020
The new decade has opened with what has been described as the most perilous moment in the past forty years of US and Iranian relations. Long simmering tensions have progressed to drone strikes and missile launches. While, as far as we know, the conflict has not escalated beyond conventional military strikes, Iran possesses the capability, motive and prior experience necessary to conduct retaliatory cyber attacks against US infrastructure and businesses.
If that were to happen, how would PolicyOwners and the broader healthcare industry be affected? While it is unlikely that any MagMutual PolicyOwner would be directly or exclusively targeted by Iran, there is a chance that you could become a victim either by way of "collateral damage" from an attack against other targets, or that you could be affected by broad-based, indiscriminate attacks. The impact to you could range from a nuisance (e.g. a single, low-criticality computer on your network affected with ransomware) to a catastrophe (e.g. all computers rendered useless by malware, your cloud-electronic medical record is not available, etc.). If there is any silver lining from this situation, it is that, despite their capabilities and resources, Iran does not typically employ methods of attack that are able to defeat well-implemented, common security controls. PolicyOwners who have been investing time and money in security and risk management programs are likely to enjoy an existing measure of protection. Regardless of your security maturity, we recommend that you focus on the following control areas to protect yourself from potential threats:
1. Conduct regular data backups. If an Iranian-borne "worm" were to destroy or hold hostage every computer in your environment, you would be able to acquire new computers and restore your data to resume operations. If you are using mostly cloud-based systems and have little to no medical or business data stored on your local computers, the provider of those cloud applications should be able to provide you with evidence that your data is being adequately backed up. For any data stored locally on computers in your office, you should confirm the existence of, or you should implement, an appropriate system to create and manage your data backups. This could be as simple as copying all relevant data to an external hard drive that you store in a fireproof safe. Generally speaking, you should conduct backups often enough that your operation can revert to them without losing too much work. Backups should be unalterable once created. Finally, the viability of the backups should be verified at least annually either in a simple restoration test or as part of a comprehensive test of your disaster recovery capability.
2. Apply software security fixes. There is a possibility that an Iranian-based cyber attack would involve a previously unknown security vulnerability in popular software (also commonly referred to as a "zero day"). Were this to occur, the maker of the software would create and publish a fix as quickly as possible (a process known as "patching"). Applying these security fixes on both a routine and, when warranted, an emergency basis dramatically reduces the likelihood of experiencing a serious issue. As with data backups, your cloud providers should be willing and able to demonstrate to you that they are applying these fixes with appropriate timing and urgency. If you’re unfamiliar with this type of maintenance activity, speak with the providers of your computers and network-connected medical equipment to ask them how such fixes can be routinely acquired and applied.
3. Employ appropriate security measures for remote access. Remote access to networks is increasingly common. If you depend on a vendor to install and maintain your computers or network-connected medical devices, they probably want to be able to connect to those assets without having to physically visit your offices and may implement certain programs and/or network configurations to enable remote access. If left open and unattended, these remote connections could allow threats, such as the one posed by Iran, to have a highly disruptive impact to your practice. While there’s no reason to eliminate remote access, certain principles should be observed. Avoid allowing it to be initiated without your control. If possible, request that you must initiate or approve all of your vendor's remote sessions into your networks. Another option is to establish a recurring time when the remote access can be activated for routine maintenance activities. If possible, request that your vendor use remote-management tools that require strong authentication (e.g. use of strong passwords and a second factor such as a code sent via text message) before their access is granted. These types of remote connections, if implemented and managed correctly, can provide a highly efficient and effective means of support by your vendors.
The cyber threat posed by Iran is serious, but has also been somewhat sensationalized. As our world has become increasingly interconnected and dependent on technology, a consistent vigilance against the full spectrum of threats (from routine to sophisticated) is recommended by all authorities and experts. Focusing on the above security measures can go a long way towards protection of your practice and all that it comprises (your livelihood and income, your patient and staff privacy, etc.). Yet it is only a starting point. Resources such as the NIST Cyber Security Framework (CSF) can help you to implement a robust set of a security measures that you can be confident in. Keep your eye on the Iranian threat, but know that is just one of many that you will face as time goes on. Make the choice to improve your security controls today so that you remain resilient in the face of current and future threats, both known and unknown.
The information provided in this resource does not constitute legal, medical or any other professional advice, nor does it establish a standard of care. This resource has been created as an aid to you in your practice. The ultimate decision on how to use the information provided rests solely with you, the PolicyOwner.