As medical experts search frantically for a vaccine to curb the ever-persistent spread of Covid-19, the healthcare industry is simultaneously having to battle an onslaught of cyberattacks, writes Jonathan Knudsen, senior security strategist at Synopsys.
Unfortunately, cybercriminals do not typically define ethical boundaries, choosing to target organisations that will reap them the most rewards. With a wealth of sensitive and valuable patient data, the healthcare industry inevitably finds itself to be a prime target. Moreover, as healthcare critical infrastructure is already stretched thin, an attack would wreak havoc and could even cost lives.
There is no question then that these organisations need to dedicate greater attention to their cybersecurity initiatives. This is particularly true as the sector continues to undergo a digital transformation in an effort to improve patient convenience, streamline operations and lower costs.
However, most organisations put the onus squarely on the shoulders of their security teams. This operational model sets these organisations up to fail as it produces friction with product teams, leads to missed deadlines and simply cannot scale.
Consider the ill-fated trajectory of the fictional Company X.
Set Up to Fail
Company X is a well-established enterprise offering diabetes care. Specifically, they support patients with glucose monitoring. Over the years, they have helped to improve the efficiency of the process, moving away from the use of lancets to sensors that alert users in real time of dangerous blood sugar levels.
In the next couple of years, they will look to add network connectivity to enable more comprehensive and sophisticated real-time health checks.
This move would be revolutionary; one that could expand beyond the diabetes market, and benefit the general public. Nevertheless, this network connectivity raises significant cybersecurity concerns, and rightly so.
Management at Company X make the smart decision of hiring a chief security officer (CSO) and establishes a team composed of the world’s leading cybersecurity experts to oversee the security of their products. They then pat themselves on the back and leave it to the security team to take care of the rest.
The company’s product development team goes back to doing what they do best – innovating. Meanwhile, the security team is tagged on to their work. They bring in the latest security testing tools to implement source code analysis, software composition analysis and fuzzing.
When a product makes it to the end of its development life cycle, they step in and run the tests, report their findings and make suggestions for improvements and mitigations.
Adding security as an afterthought, however, creates a gridlock in the overall development process. In this case, security testing is dependent on one team. Once testing is complete, they uncover an overwhelming number of concerns.
This often sends developers back to the drawing board as the resolution is often tricky to execute at the product’s advanced stage of development. By this time, product teams may have already begun work on another product as well.
With little understanding of the security team’s findings, the product team may fail to recognise the importance of properly resolving them. Facing intense pressure to bring a product to market, they might choose to have the security team prioritise the issues and only commit to the worst ones.
Both teams butt heads, and overall morale to maintain security deteriorates. The CSO is kept up at night and his/her personal life falls apart as a result of the stress.
In the end, products are shipped with vulnerabilities shattering the company’s hard-earned reputation and their stock price plummets. Darker still, lurking cybercriminals exploit said vulnerabilities, resulting in patient injury and death.
This disastrous scenario is the sum of one simple misunderstanding. That is, the security team should not be the sole bearer of risk. Security is everyone’s responsibility. The trouble with this is that when everyone is responsible, nobody steps up to help.
As such, a culture of cybersecurity needs to be established so that it becomes second nature and implemented at every stage of the product development cycle by everyone involved. Already, healthcare organisations implement a culture of patient safety; this is no different.
In such a set-up, the security team can help automate and integrate security testing to the development process. Product teams can then identify vulnerabilities as they appear and address them immediately, using existing workflows and processes.
This significantly minimises friction and allows for swift and secure products to hit store shelves.
Much like a vaccine teaches the body to strengthen itself against a disease, security teams assist in spreading knowledge and expertise across the organisation.
A strong and happy security team will create a Secure Software Development Life Cycle (SSDLC) and support product teams in its implementation, as well as define security policies for products. They will also be the experts in cybersecurity and security testing tools, educating the organisation on these, while integrating results into existing workflows.
It is only when expectations are set straight, that the security team and the organisation as a whole can thrive.
Sign up to our newsletter