Dangerous signs of business continuity failures in highly regulated fields
Are today’s businesses doing enough to protect themselves from unexpected disasters? Are their business continuity systems secure enough to prevent costly downtime? Are organizations within highly regulated industries following the proper business continuity regulation?
If recent ransomware attacks are any indicator, the answer is no.
Boeing—one of the largest companies in the world—was the latest victim of WannaCry, the nasty ransomware strain that infected more than 200,000 computers in May 2017. Nearly a year later, Boeing has revealed that its systems were just as vulnerable.
Unlike most forms of ransomware, which are spread via phishing and spam emails, WannaCry exploited a known vulnerability in Windows, for which Microsoft had released patches long ago. This means that, even after WannaCry’s global outbreak in 2017, Boeing still hadn’t updated all its systems.
What does this say about the state of business continuity in highly regulated industries today? After all, Boeing is more than just an airplane manufacturer. It’s the second-largest military defense contractor in the world, developing sophisticated fighter jets, bombers, helicopters and intercontinental ballistic missiles.
Companies like Boeing are naturally subject to numerous governmental regulations over its operations. But are its business continuity procedures regulated enough?
In this post, we look at how some of these highly regulated industries are “self-regulating” when it comes to disaster recovery.
Patients’ wellbeing and sensitive medical records are what make healthcare one of the most regulated industries. Medical professionals and facilities must comply with strict rules on how they interact with the people they serve (and the data they save).
Under HIPAA (the Health Insurance Portability and Accountability Act), healthcare organizations are subject to laws governing how they protect their patient information and keep computer systems from being compromised. Failure to comply with these laws can result in costly fines, not to mention potentially life-threatening situations.
Specifically, the HIPAA Security Rule mandates that organizations must maintain a “comprehensive testing and monitoring strategy” to prevent and manage downtime events that affect electronic protected health information (ePHI).
This is achieved via several requirements under the Security Rule:
- Contingency plan: Policies and procedures for responding to an event that could compromise ePHI (i.e. cyberattack, fire, natural disaster, human error or vandalism)
- Data backup plan: Technical systems and procedures for the storing and recovery of ePHI, which can include everything from patient records to diagnostic images
- Security management process: Policies and procedures to “prevent, detect, contain, and correct security violations”
- Awareness and training program: Organization-wide training to teach every employee, including upper management, the proper security protocols and business continuity procedures
- Evaluation: Ongoing testing of both technical and non-technical systems to ensure the above standards are effectively being met
Look familiar? It should.
Each of these requirements is a fundamental component of every business continuity plan (BCP). Your own BCP should have similar pillars. The only difference here is that these requirements, within the healthcare industry, are governed by law.
Unfortunately, HIPAA does not go into much depth about specific technical requirements for things like backup and disaster recovery (BDR) technologies and other IT infrastructure. This can result in dangerous business continuity holes that leave an organization at risk, even if the implemented systems are still theoretically meeting the general HIPAA requirements.
Finance & Securities
Finance is another highly regulated industry, because of the sensitivity of customer data and the influence on global markets.
A single bank or financial firm shutting down—even for just a few hours—can create widespread panic. As such, the finance industry must be very careful with how it safeguards information and maintains continuity.
When it comes to brokerages and security firms, business continuity is somewhat self-regulatory. Disaster recovery protocols and systems are principally overseen by FINRA, the Financial Industry Regulatory Authority, which is a private company, not a governmental entity.
In March 2018, FINRA issued new guidance that requires an “annual business continuity and disaster recovery test” for all firms that deal with significant volumes of Treasury securities.
FINRA requires firms to create and maintain a BCP, but allows them to tailor it to the size and needs of the firm. The minimum requirement elements that must be outlined in the BCP are:
- Data backup and recovery systems
- Mission-critical systems
- Financial and operational assessments
- Backup communications between customers and firm, and between the firm and employees
- Backup physical location for employees
- Critical business constituent, bank, and counterparty impact
- Regulatory reporting
- Communications with regulators
- How the firm will assure customers’ prompt access to their funds and securities in the event that the firm determines that it is unable to continue its business
Within the banking industry, two government agencies—Financial Institutions Examination Council (FFIEC) and Federal Deposit Insurance Corporation (FDIC)—issue their own, similar guidance for disaster recovery, with the goal of ensuring continuous operation and limiting losses. Complying with this guidance is a mandatory regulatory requirement.
Just days before Boeing was hit by WannaCry, the city of Atlanta was hobbled by the SamSam ransomware strain. A full week later, the city was still locked out of its data.
The attack affected nearly half of Atlanta’s governmental departments, shutting down city services and requiring many essential operations to be carried out on paper. In practical terms, that means many residents couldn’t pay their water bills and the court system couldn’t process cases. It’s unclear whether Atlanta’s data backups were infected as well, but clearly the city wasn’t adequately prepared for a cyberattack like this.
So, what’s to stop this from happening in other cities, or within our state and federal agencies too?
According to Gartner, state and local governments are mostly “free to make their own decisions on data security, DR and continuity of operations.” The Federal Information Security Act (FISMA) of 2002 does mandate the need for “critical infrastructure protection,” but does not specifically address business continuity measures.
Federal government is a different story. COOP (Continuity of Operations) is a federal initiative that has existed in some respects since the Eisenhower administration. As part of this program, federal agencies are required to implement protocols and technologies that ensure essential government functions can continue during a disruptive event.
The directives under COOP address everything from department-specific continuity plans to underground bunkers. More specifically, Gartner has identified that COOP requires all federal BCPs to be:
- Maintained at a high level of readiness.
- Capable of implementation with or without warning.
- Operational no more than 12 hours after activation.
- Able to sustain operations for up to 30 days.
- Capable of taking maximum advantage of existing agency field infrastructures.
Under the 2017 Federal Continuity Directive 1 (FCD 1), COOP requirements are intended to also be used as guidance for state and local agencies.
Furthermore, the National Institute of Standards and Technology (NIST) provides more detailed guidance on technical requirements for contingency systems, plan testing and disaster recovery.
Above, we mentioned the potential dangers of giant, global companies like Boeing being vulnerable to a cyberattack. But in their defense, Boeing did appear to respond rapidly to the attack. The company pushed back on news reports that the attack was extensive. Only “a small number of systems” were affected, the company said, and recovery was quickly underway.
Whether this was purely PR spin, or a true rapid recovery, it almost doesn’t matter: the company appeared to be taking immediate action on all fronts. Reportedly no production was affected.
So, what about other corners of the manufacturing sector?
Some areas of manufacturing, like motor vehicles and pharmaceuticals, are of course highly regulated by the government. But those regulations don’t necessarily address the importance of business continuity. When it comes to disaster recovery within manufacturing, what you’ll find is a patchwork of systems and planning strategies across the industry, and many are simply not adequate.
The problem, experts say, is that larger manufacturers are often using outdated systems to run their older, in-house applications.
“What I have observed across multiple manufacturing companies is that they end up using old systems, not because they want to, but because they built the software to control the robots,” said Raj Rajamani, vice president of product management at SentinelOne, in an interview with Law.com.
This is risky. Manufacturers that are hit with ransomware could see their production lines come to a full stop. Order information could be lost. Sensitive customer records could be locked up. The entire business can go down if operations aren’t restored quickly enough.
This is why manufacturers need to be vigilant about business continuity planning, even when there are no regulatory requirements.
So, where should they turn for help?
Government agencies like FEMA and NFPA do provide some good non-regulatory guidance on BC/DR. Additionally, the International Organization for Standardization (ISO) is also a great resource for adopting business continuity management standards at virtually any manufacturing company. This guidance, while just a framework, provides an extensive list of recommended steps for contingency planning and protecting the business from an unexpected disaster.
Highly regulated industry? Get the business continuity guidance you need
For more information on today’s best practices and regulatory requirements for business continuity, contact our specialists at Invenio IT. Request a free demo of BDR solutions from Datto, call us at (646) 395-1170 or email [email protected].