Sign In | Join HiNZ
eHealthNews.nz: Information Governance

The hidden cyber threat in a smart world

Tuesday, 2 November 2021  

FEATURE - Industry Innovation Article - Beca

CybersecurityWith advances in technology making our everyday better, the complexity created by digitising more of our physical world is presenting new threats for organisations to manage. This change is happening rapidly, and on many fronts, but particularly through the increased risk profile of Operational Technology (OT).

A simple example of OT in the health context can be seen in some medical devices. The Original Equipment Manufacturer (OEM) installs technology within the device that enables their technicians to provide error diagnostics and remote support from anywhere across the globe.

In this example, strict controls need to be in place to ensure that only the authorised person is getting access, that they can only access the information you want them to, and that the OT system can’t be exploited as a back door into your organisation’s broader Information Technology (IT) systems.

These OT systems are becoming increasingly sophisticated and connected, however often fall outside traditional IT governance processes and management, as they aren’t seen as “software”. This connectivity and convergence of IT and OT escalates cyber risk, requiring us to look widely for potential threats.

When it comes to protecting your organisation from OT related cyber risk, we recommend starting with three simple steps.

1. Assess your current state
The first step involves understanding what operational technology you have, and the associated risk and controls. Key questions to ask include:

  • What technology exists across your physical environment? For example, OEM technology within medical devices, building sensors, appliances such as air conditioning units or elevator control systems?
  • What is the system architecture? Are there any touch points into your broader IT network?
  • What risk does each system represent? Is there a vulnerability that could be exploited to access other higher risk systems?
  • What controls are in place? For example, are security patches performed regularly? Are there good password practices in place?
  • Have you considered not just your own domain but also the systems used across your broader supply chain? 

2. Define your future state 
Once you understand what OT systems you have, what risk they present, and how they are being controlled, you can define and shape a clear, long-term future state vision and architecture. Some useful considerations include:

  • Do you have a consensus of ‘what good looks like’ that is specific for your organisation?
  • Is scalability included within your end state architecture, to enable you to adapt and encompass new and evolving technology as it emerges?
  • Have you defined future state processes, not just the architecture?
  • Have you defined both required controls and the assurance steps for current and future systems, including consideration of Cloud system use within the OT landscape?

3. Develop a prioritised roadmap 
The third step is the adoption of a risk-based approach to implementation, beginning with the areas that present the most critical risk. Ideally, this roadmap will be more than a static vision, with additions and modifications over time. A good roadmap provides a master plan that guides and informs, drives activities, measures progress, and can be tailored for specific audiences. 

It is also important that activities within the roadmap are not limited to technical changes, such as air gapping critical OT systems, but also include areas such as governance. For example, requiring a comprehensive privacy impact assessment (PIA) for any new device purchase is an example of a control that can be implemented relatively early in the roadmap, while the longer-term activities are undertaken.

Building capability and confidence
Within the OT landscape, there are additional complexities and risks beyond those typically encountered within the traditional IT environment, and we recommend building capability in appropriate disciplines for managing cyber risk across the OT landscape. Systems Engineering is a specific engineering discipline for architecture, design, integration, implementation and management of complex, high assurance and high security systems (including systems of systems) – not only how they look, but how they work. 

Applied to OT environments, Systems Engineering can increase the power of your roadmap and build confidence your organisation is protecting and strengthening its defences in an increasingly connected world. While OT presents a risk, managed correctly it can also be an enormous opportunity to support improved health outcomes at the primary level, for those in your care.

Author: Daniel Feutz, Business Director – Digital Healthcare
daniel.feutz@beca.com +64 3 366 3521
 
https://www.beca.com/ignite-your-thinking/in-focus/digital-healthcare


If you would like to provide feedback on the above feature article please contact the editor Rebecca McBeth.


Read more FEATURES

Return to  eHealthNews.nz home page


« Back to Index

Contact Us

Health Informatics New Zealand

PO Box 300125,
Albany, Auckland 0752


assistant@hinz.org.nz

Quick Links

Social Media

Search