Despite a comprehensive cyber-security framework in place in the US, cyber-crime’s a major threat. It didn’t seem to help prevent a huge phishing attack to a hospital, reported on eHNA, indicating the scale and complexity of the challenge.
The US National Institute of Standards and Technology (NIST) has released for consultation its updated Framework for Improving Critical Infrastructure. It has two main parts, the report and a comprehensive checklist in Excel. They’re both essential for Africa’s health systems in developing their cyber-security.
The new report expands the cyber-security measures in the original framework from February 2014. Its new content includes:
- A new section on cyber-security measurement and correlating business results to cyber-security risk management metrics
- Expanded explanation of using the framework for supply chain risk management
- Refinements to improve accountability for authentication, authorisation and identity proofing
- Better explanation of the relationship between implementation tiers and profiles, including establishing or improving a cyber-security programme and using framework tiers for implementation, and integrating framework considerations with risk management.
The Excel checklist has 23 categories. These lead on to 106 sub-categories and 398 cyber-security reference links. It’s a comprehensive list of actions needed for good cyber-security practices. The 23 categories are including:
- Asset Management (ID.AM) Asset Management (ID.AM): identifying and managing data, personnel, devices, systems, and facilities consistent with their relative importance to business objectives risk strategies.
- Business Environment (ID.BE): understanding and prioritising mission, objectives, stakeholders, and activities to inform cyber-security roles, responsibilities, and risk management decisions
- Governance (ID.GV): understanding and using policies, procedures, and processes for managing and monitoring regulatory, legal, risk, environmental and operational requirements to cyber-security risk management
- Risk Assessment (ID.RA): understanding cyber-security risks to operations such as mission, functions, image, or reputation, organisational assets and individuals
- Risk Management Strategy (ID.RM): establish and use priorities, constraints, risk tolerances, and assumptions for operational risk decisions
- Supply Chain Risk Management (ID.SC): stablish and use priorities, constraints, risk tolerances and assumptions for risk decisions for managing supply chain risk and implementing processes to identify, assess and manage them
- Identity Management and Access Control (PR.AC): limiting and managing access to physical and logical assets and associated facilities to authorised users, processes, and devices consistent with the assessed risk of unauthorised access
- Awareness and Training (PR.AT): ensuring personnel and partners are aware of cyber-security and adequately trained to perform their duties and responsibilities consistent with cyber-security policies, procedures, and agreements
- Data Security (PR.DS): ensuring data’s managed consistent with risk strategies to protect its confidentiality, integrity and availability
- Information Protection Processes and Procedures (PR.IP): maintain and use cyber-security policies that address purpose, scope, roles, responsibilities, management commitment, and coordination, processes, and procedures to protect information systems and assets
- Maintenance (PR.MA): ensure control and information system components are maintained in line with policies and procedures
- Protective Technology (PR.PT): manage technical security solutions to ensure cyber-security and resilience of systems and assets consistent with policies, procedures and agreements
- Anomalies and Events (DE.AE): detecting and understanding anomalous activity and its potential impact promptly
- Security Continuous Monitoring (DE.CM): monitor information systems and assets at discrete intervals to identify cyber-security events and verify the effectiveness of protective measures
- Detection Processes (DE.DP): maintain and test detection processes and procedures ensure timely and adequate awareness of anomalous events
- Response Planning (RS.RP): implement and maintain response processes and procedures to ensure timely responses to detected cyber-security events
- Communications (RS.CO): co-ordinate responses with internal and external stakeholders, including external support from law enforcement agencies
- Analysis (RS.AN): analyse and review cyber-security measures to ensure adequate responses that support recovery activities
- Mitigation (RS.MI): performed activities to prevent expansion of events, mitigate their effect, and eradicate incidents
- Improvements (RS.IM): implement lessons learned from current and previous detections and responses
- Recovery Planning (RC.RP): implement and maintain recovery processes and procedures to ensure timely restorations of systems or assets affected by cyber-attackes
- Improvements (RC.IM): improve recovery planning and processes by incorporating lessons learned
- Communications (RC.CO): co-ordinate restoration activities with internal and external parties, such as coordinating centres, Internet Service Providers (ISP), owners of attacking systems, victims, other Computer Security Incident Response Teams (CSIRT) and vendors.
Challenges for Africa’s health systems include where to start and how long should it take to set up? The second question depends on the resources available. The reasonable answer to the second question is, pick a start that matches cyber-security priorities. If these aren’t explicit, start at 1. If there’s already been a cyber-attack, start at 1 and 20 may be relevant.