Critical Infrastructure Audit Readiness In Three Steps
How companies in the healthcare industry can implement the German BSI’s “KRITIS” regulations
Celestamine N 0.5 liquidum (betamethasone) can be life-saving during bee and wasp season: the medication helps people who experience allergic reactions to insect stings. Two years ago, however, cyber attacks forced pharmaceutical companies to drastically limit the dose amounts of this and other preparations. By attacking companies’ IT infrastructures, hackers caused short-term delivery shortages and failures. While consumers experienced a threat to their own well-being, manufacturers experienced significant disruptions in their production, some of which are still being felt today. The lesson here: everyone is vulnerable, everywhere – and often, there is a high price to pay for it.
Deadline for proof of “BSI KRITIS” has passed
The German federal government, or more accurately the BSI (Federal Office for Information Security), has been defining measures meant to protect critical infrastructures from precisely these types of cyber attacks since 2011. As part of that effort, the BSI published a study on “Critical Infrastructures” (“KRITIS”) in the healthcare industry in 2016. The study examined the individual sectors in regard to supply services, IT dependencies, as well as potential critical operator structures and analyzed the status quo of cyber security.
Furthermore: the federal government has identified service providers, namely in the healthcare industry, who must provide proof of IT protection that is compliant with §8a of the BSI Act – those being pharmaceutical manufacturers and wholesalers, medical device manufacturers and laboratories. According to the BSI Act and the “KRITIS” regulations, the relevant BSI regulation focuses exclusively on IT disruptions. However, the deadline for doing so was June 30th 2019. Even for companies that already have a high level of information security, this date has been the critical deadline for bringing their IT security standards up to date and having them examined and verified. Service providers have had two years to get ready.
Scoping, analysis and implementation
Even with the window now closed, companies can still implement the regulations to ensure the audit-readiness. Three actions are required and some pharmaceutical manufacturers have already successfully completed them together with the msg industry advisors team:
1) “KRITIS” - Scoping
In this phase, our customers work with us as part of a project team to mobilize their internal stakeholders and identify the relevant business units, processes and IT systems that fall within the scope of the BSI Act and related regulations. Once the applicability of the B3S (industry-specific security standards) for “Pharma” has been checked, we then use a project timeline to document the jointly-defined methodology.
2) “KRITIS” - Analysis
During the next step, the joint project team concentrates on analyzing the risks of the defined scope and creates an appropriate action plan. An analysis of the existing internal control systems with a focus on the fields of quality management, business continuity management and IT security clarifies the need for action, as well as the technological steps required to establish an information protection management system. The team also defines a project plan for the third phase that includes all necessary milestones. The plan shows which project activities will need to be realized in order to accomplish the phase goals – incl. which internal and external resources will be required.
3) “KRITIS” - Implementation and Maintenance
The third phase phase focuses primarily on employee’s sensitivity to the topic – by setting up new work processes, such as in risk management for example, in addition to the usual training measures. The project team then establishes an IS organization as part of the existing internal control system: the resulting active ISMS and a successful audit conclude the project. Upon request, our consultants are also available to maintain the ISMS through regular reviews in preparation for the mandatory audit performed every other year.
IT: lifeline for process and information security
Whether used in the manufacturing of pharmaceuticals, research, development or logistics: IT is now an essential part of the entire value chain of companies in the healthcare industry – and thus a key success, as well as risk factor. As a result, implementing the BSI’s “KRITIS” regulations is currently the single most important preventative measure against future attacks on “vital” IT infrastructures. We would be happy to work with you to see if you are affected by the regulations.