With the emergence of major public health issues, or crises, such as COVID-19, grant funding for research and program development will be made available from various government agencies to help with the response. Additionally, foundations such as the Bill & Melinda Gates Foundation or Ford Foundation may provide the precious funds to perform the vital work to battle the at hand issue. If fortunate, those in receipt of funding to pursue the global health issue to be addressed will often utilize technology either developed or custom created and implemented to address the critical response, or in the case of COVID-19, slow the spread or research the creation of vaccines.
Organizations that will be included in such work include non-profits, Non-Government Organizations (NGOs), multilateral or inter-governmental organizations. In the interest of being efficient and effective, organizations will rely on the use of information technology and the like, and with this comes the potential for cyber threats and cyber breaches. We have learned about and witnessed a plethora of such threat actor attacks during the pandemic, but the attacks have existed pre-pandemic as well. As these public health organizations work on solutions and response, it is essential to keep cybersecurity front and center during all phases of their efforts in order to protect patient, and trial data from being exposed, ensuring proprietary systems solutions and knowledge are not compromised, and interfere with system operations.
Lack of cybersecurity focus
During an initiated cybersecurity preparedness survey published in 2017 by the Institute for Critical Infrastructure Technology, when NGOs and non-profits were posed the question if their organizations contained a formal cybersecurity unit or had specific staff members responsible and assigned to protect the computing environment – 49% of the respondents did NOT have such a focus. For those organizations that answered no to having a formal cybersecurity unit, when asked if they planned to incorporate one in the next year, 11% of organizations said they did have a plan. However, an overwhelming 86% said they did not have such a plan in place. It is hard for a non-profit or NGO to stay on par with other healthcare sector or larger organizations, especially since such operations most likely need to comply with HIPAA and other health-related regulations and requirements with risk and cybersecurity. These larger organizations, outside of the non-profit sector, often have more resources.
Organizations with non-profit budgets may not have the funding available to create information technology and/or control assessment units to work towards better protection. You need to keep in mind that an NGO and non-profit have a primary goal to exist to service-specific goals; to work towards a mission and focus efforts on obtaining funding and reducing costs. It is possible that the incentive structure of a non-profit is built on these goals. Unluckily, good cybersecurity generally does not accomplish or align with these goals.
Finally, a general figure often considered with regard to the budget amount required for a cybersecurity program in an organization is approximately 10% of the IT budget. This can be very difficult to come by for a non-profit or NGO. This percentage can adjust, even upwards! Moreover, it will depend on the risk appetite set forth by the board and executive team. If the NGO or non-profit is involved in more sensitive work, this figure may very well be more in line with 15% or more!
Funding for public health NGOs and non-profits may be more difficult to obtain after the COVID-19 pandemic. These organizations will focus the precious funding on more programmatic initiatives, and technology and cybersecurity, which is a small subset that may suffer. However, I would suggest that any such global public organization partnering and working on COVID-19 projects should up their percent of the budget put forth towards cyber defense!
Recently published manuscript outlining a proposed framework for global public health
A recently published manuscript at the International Journal of Cybersecurity Intelligence and Cybercrime has been made available that provides a proposed theoretical framework that can be utilized by those in the public health sector as a method of introducing greater cybersecurity awareness. The framework, built from several risk management components, including the NIST Cybersecurity Framework (CSF) could be especially useful for those organizations that do not contain a dedicated computer or cyber security department, and want to put a “best foot forward” in attempting to minimize cybersecurity issues. The manuscript outlines a simple seven-step cybersecurity risk analysis process that can help to complement the global public health efforts if technology solutions or developing apps, hardware devices, etc. are part of the project. In addition to the manuscript, there is a recorded video of a presentation made available via the National CyberWatch Center Webinar Series.
This article originally ran in Today’s Cybersecurity Leader, a monthly cybersecurity-focused eNewsletter for security end users, brought to you by Security Magazine. Subscribe here.