12 key strategies to reducing cyber vulnerabilities
Cybersecurity vulnerabilities and intrusions pose risks to every hospital, the American Hospital Association reminds members. The expanded use of networked technology and the electronic exchange of health information greatly increases exposure to potential cybersecurity threats. One of the most important things senior executives can do is to ask the right questions of their information technology teams. AHA, through its new Center for Health Innovation, has published the following 12 areas for discussion, based on guidance from John Riggi, serving as the organization's senior advisor for cybersecurity and risk, after having spent nearly 30 years as a highly decorated veteran of the FBI.
Patient safety and critical mission systems
Key questions: What are our most mission-critical systems, devices and networks related to patient safety and care delivery, and how vulnerable are they to cyberattacks? Have we mapped out networks, our data and baseline network activity? What are our most valuable data sets, including intellectual property and research? Where are they stored and who has access to them?
Strategic cyber risk profile
Key questions: What is our strategic cyber risk profile from the adversaries’ perspective, based on the identification of our most valuable data sets, access to patients and network connections? Who is coming after us—for example, nation states, criminal organizations, insiders or a combination? Why and how?
Tactical cyber risk profile
Key question: What is the current state of our tactical cyber risk profile, based on our latest risk assessments of our policies, procedures and controls, and vulnerability and penetration testing of our technical environment?
Key question: Do we prioritize all cybersecurity policies, procedures, controls and technical risks through the lens of the potential impact to patient safety and delivery of care as the first priority; the protection of patient data security and privacy, second; and business and administrative operations, third?
Key questions: Based on our strategic and tactical risk profile, are we certain we have sufficient and capable human and technical resources along with a sufficient budget devoted to our information-security program? Does the reporting structure for the chief information security officer provide sufficient status, authority and independence?
Vendor risk management program
Key question: Have we conducted a recent in-depth technical, legal, policy and procedural review of our vendor risk management program to identify domestic and foreign high-risk vendors based on access to sensitive data, networks, systems, locations and criticality to continuity of operations?
Key questions: What is the cybersecurity culture of our organization? Knowing that the people of the organization represent the best defense against cyber threats or the greatest vulnerability, do we have a top-down culture of cybersecurity in which every leader and staff member believes he or she has a duty, a role and the power to defend patients against cyber threats? Or is our culture of cybersecurity one that is based on compliance and data protection?
Risk mitigation strategy and ERM
Key questions: Based on our overall current cyber risk profile, culture of cybersecurity and our target risk profile, what is our cyber risk mitigation strategy? Is it integrated into an overall multidisciplinary, enterprise risk management program and governance structure? Do we follow a particular cybersecurity framework? Why or why not?
Risk mitigation implementation plan
Key questions: What is our cyber risk mitigation strategy implementation road map? Are there specific program objectives and milestones along with a cost/risk-reduction analysis and patient safety impact review for each objective?
Incident response plan
Key questions: Is our cyber incident response plan up to date? Does it include specific individuals from all clinical and business functions and risk committees, with defined roles, responsibilities and contact information? Is the plan regularly tested, gaps and best practices identified and updated to include current threat scenarios, such as ransomware? Is the FBI integrated into the plan?
Key question: Is our cyber insurance coverage adequate and current to cover all costs associated with a multi-day network outage, breach mitigation and recovery, reputational harm, legal and regulatory exposure?
Key question: Has an independent and objective outside expert reviewed each of the previously mentioned areas, identified gaps, validated and made recommendations?