Interview: David Sandell on why the Australian healthcare sector needs a dedicated ISAC

Ahead of sitting down to chat with David Sandell, CEO of CI-ISAC, a critical infrastructure not-for-profit, pointed out that the majority of entities covered by the Security of Critical Infrastructure Act are in the healthcare sector.

That’s 7,900 out of 11,000 organisations, totalling more than 6,300 GP clinics, 601 private hospitals, and 746 public ones.

At a time when the global healthcare industry is facing the greatest costs when it comes to data breaches – not to mention the sensitive data the industry holds – the federal government has opened a grant application process to set up a dedicated Information Sharing and Analysis Centre (ISAC) for the sector.

Sandell believes CI-ISAC is perfectly positioned to take on the job.

Cyber Daily: Can you start with a rundown of what an Information Sharing and Analysis Centre does, and how it supports its members?

David Sandell: It’s all about gathering threat intelligence. We do that centrally, do the analysis, and push out advisories to the members of CI-ISAC. So what does it mean to them? How urgently do they need to do something? What do they do about it?

The two key differentiators with anything else that’s really out there at the moment is that context. So helping them prioritise, because, as you would know from covering cyber, there’s just a fire hose of stuff, and you can’t keep across all of it and then the recommendations. So this is really important, and it’s going to feed into our health sector bid.

You kind of need that understanding of systems and cyber security to basically figure out … What are the controls, what are the gaps? How do I actually mitigate this threat? How do I deal with it longer term? We do all that centrally – every single member who gets an advisory is getting the value of that knowledge having been curated and built in one place, whereas a lot of the other stuff going on is just flinging around information.

VIEW ALL

Everyone needs to sit down and understand that there’s always an internal assessment. So we’ll tell you what the threat is. We’ll tell you what to do about it. You still need to look at your environment and go “Right – I’ve got some other security controls. I still have a risk, or I don’t have a risk.” And that’s what we help you do that much more effectively

We’ve just hit 100 members – after 18 months in operation. Those are primarily councils in Queensland – we did a big collective deal to bring on all 75 local councils in Queensland. Then we’ve got other big members from the electricity sector, data processing, transport, water … It’s a pretty good cross-section across the critical infrastructure sectors.

What we’re looking to do now is, given the government’s release of a health sector-specific grant, pivot slightly, so leveraging all of those learnings and what we’ve already established to build health-specific teams around those capabilities now – because we’re a going concern. We’re already delivering these services. We’ve optimised all our platforms. It’s quite a straightforward proposition to drop humans in because that’s the piece we don’t have, being a not-for-profit.

We’ve got one full-time staff member, a couple of part-time staff members, lots of volunteers, dropping in dedicated teams around those capabilities, and then working really closely with the PHNs, the GPs, all the other kind of key movers and shakers in the health sector, to pilot these existing services, and refine them if we need to, but then really focus hard on building out more supporting capabilities.

And that’s the key piece, in terms of the collective; it’s not just sharing information, because the small and medium health providers, you give them information – really good, really well-written information – on cyber threats. They don’t have the resources to do anything about it.

So we want to lean in, leverage our partnerships, leverage the existing collateral we’ve got to provide a project, secure health, and more free cyber security services. And this is where we need the partners to help lean in. The grant will be a massive help to help us build things like leaked credential monitoring and external attack service monitoring. We can leverage open-source tools and capabilities to provide these to the members, make it accessible, make sure they can actually get value with very little requirements on their side.

And that’s kind of where we’re really looking to make an operational difference with this bid.

CD: Funnily enough, I saw my GP the other day and I was thinking about this interview, and so I was looking around their little admin area, and there’s just three people back there, and they’re hammered doing just the day-to-day stuff. These small practices don’t have the capacity for a dedicated person in-house. It seems like it’d be an overreaction, but the healthcare sector is getting hammered by cyber attacks – and the threat of that very, very personal data getting leaked out there is quite real, isn’t it?

David Sandell: At the end of the day, if your financial data gets leaked … It’s not great. I mean, depending on how much cash you’ve got in the bank – there’s only a limited downside for someone like [me] who does a lot of volunteering!

So, obviously, that can be impactful to people, and I’m not discounting the impact of something like that happening, but when you deal with personal health information, that’s a whole different ball game, that can have much longer-term consequences and impacts. It’s very personal. It’s very sensitive. It’s kind of out of our control because we just interface and deal with so many different providers, and there are so many interdependencies in this ecosystem.

This is part of the challenge with this whole grant and the ISAC – if you just limit yourself to those health providers in the health sector, that doesn’t bring in all of these third parties. There are technical suppliers, there are specific health suppliers that provide those services that GPs use, and we’re looking to weave in some of those to our actual pilot. They run all these systems, they host the data … If they go down, that is still going to have an operational impact on those health providers.

Plus, if you don’t run a hospital with an ICU unit, you’re generally not in [the] scope of the critical infrastructure regulation. So while those are very important – and there’s a lot of compliance and rigour around those – we can’t ignore and discount everyone else. It’s hard to say who’s more important, which is why we’ve got to address this holistically as a whole, and my personal view is leveraging those other, more mature sectors [that] can feed in … Because the cyber threats are not specific to healthcare.

Every single one of the recent incidents that [have] made Australian headlines, the attack vectors … What’s happened to those entities could happen to any sector. It’s not health-specific or telco-specific.

CD: I do know that there were several ransomware operators who quite openly said, once law enforcement started targeting them, that they were taking the gloves off, and they would now actively start healthcare organisations on their target lists. A lot of them had this whole “honour among thieves” going, but the gloves are off now, and we’ve seen that like recently. And it’s not just about patient data. That’s bad enough. It’s not just about the GPs themselves, but it’s also the entire business, about reputational damage … The damage to business can’t be overestimated, either.

David Sandell: There are so many facets to this entire thing.

There’s the kind of upfront, being proactive piece. There’s the hardening, again, hardening your system so that you’re that much more protected. Then comes the whole resilience and response side of things, because it’s not if you get hacked, but when.

That’s the unfortunate truth – something will happen at some stage, with varying levels of impact. So, how quickly can you bounce back again?

This is where I really want to focus our efforts supporting these entities. Because if you’re a GP clinic, if you’re a medium-sized health provider or supplier, you probably wouldn’t have the faintest idea where to start in terms of even just trying to sketch out some basic resiliency in your cyber operations – how do you continue business if your cyber systems are taken out?

I come from banking where there’s the whole concept of ‘going to paper’. Most places can’t go to paper in this day and age. And I’d probably put my hand up and say the same thing. But we’ve architected our systems and platforms in a way, but what – besides identities … I mean, identity is typically your core critical business service, and that’s something that the regulations focus on – what are your critical business systems and services?

You need to be planning for the worst so that you can continue operations while you get your systems back up and running, and things like control frameworks are great for ensuring you’ve got those backups you can get back up and running, but what happens in the interim? How do you continue generating income and delivering services, specifically in the healthcare sector, which doesn’t really have the option of taking the day off?

CD: Do you think more ISACs, more industry-specific, sector-specific ISACs should be stood up over time?

David Sandell: That works in large developed economies.

The ISAC concept came out of the US, when President Clinton pushed a directive out in ‘98, the ISACs started propagating. You’ve got very big sectors like financial services, and even health in the US, where they can justify and support their own ISAC. Those ISACs, some of them have membership in the 1,000s, while others are close to 1,000 members.

If you look at Australia, however, we have a much smaller economy – it’s a scale issue. It doesn’t make sense if you’re going to spend $6 million on all 11 sectors – you’re going to be spending a lot of money on ISACs.

The more fundamental challenge, putting the dollars to one side, is the ability to look at those threats across the sectors and share – if you have separate entities, they’re not going to have that joined up for you. And again, this is a big thing we go on about, is building up that situational awareness on what’s happening two streets away from me, what’s happening in the neighbourhood.

Telcos have great visibility across their networks, all the varying levels of maturity, and you want to bring that holistic picture together to build up the Australian-centric view of what’s going on. But of course, we’ve got partnerships, and we have an MOU with the International Health ISAC from the States. You want to keep one eye on what’s going on overseas because those threats do move around globally. So, there is some relevance.

But what the approach we tend to take is focusing on … What are those relevant threats? What are the key techniques we keep seeing over and over, and then building our contextualised advisories and recommendations around those to just keep hammering home, like these phishing attacks, or drive-by downloads, or search engine poisoning – we’re seeing a lot of this – and the concrete steps you can take to actually do that little bit to raise the bar so that your end users don’t get compromised.

You live another day until the next time comes along.

CD: That makes perfect sense – thanks for chatting with us, David, and good luck with the grant.

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.