Cyber Risk Cover.jpg
12 key strategies to reducing cyber vulnerabilities
Cybersecurity vulnerabilities and intrusions pose risks to every hospital, the American Hospital Association reminds members. The expanded use of networked technology and the electronic exchange of health information greatly increases exposure to potential cybersecurity threats. One of the most important things senior executives can do is to ask the right questions of their information technology teams. AHA, through its new Center for Health Innovation, has published the following 12 areas for discussion, based on guidance from John Riggi, serving as the organization's senior advisor for cybersecurity and risk, after having spent nearly 30 years as a highly decorated veteran of the FBI.
Cyber Risk 1.jpg
Patient safety and critical mission systems
Key questions:
What are our most mission-critical systems, devices and networks related to patient safety and care delivery, and how vulnerable are they to cyberattacks?
Have we mapped out networks, our data and baseline network activity?
What are our most valuable data sets, including intellectual property and research?
Where are they stored and who has access to them?
Cyber Risk 2.jpg
Strategic cyber risk profile
Key questions:
What is our strategic cyber risk profile from the adversaries’ perspective, based on the identification of our most valuable data sets, access to patients and network connections?
Who is coming after us—for example, nation states, criminal organizations, insiders or a combination? Why and how?
Cyber Risk 3.jpg
Tactical cyber risk profile
Key question:
What is the current state of our tactical cyber risk profile, based on our latest risk assessments of our policies, procedures and controls, and vulnerability and penetration testing of our technical environment?
Cyber Risk 4.jpg
Key question:
Do we prioritize all cybersecurity policies, procedures, controls and technical risks through the lens of the potential impact to patient safety and delivery of care as the first priority; the protection of patient data security and privacy, second; and business and administrative operations, third?
Cyber Risk 5.jpg
Key questions:
Based on our strategic and tactical risk profile, are we certain we have sufficient and capable human and technical resources along with a sufficient budget devoted to our information-security program?
Does the reporting structure for the chief information security officer provide sufficient status, authority and independence?
Cyber Risk 6.jpg
Vendor risk management program
Key question:
Have we conducted a recent in-depth technical, legal, policy and procedural review of our vendor risk management program to identify domestic and foreign high-risk vendors based on access to sensitive data, networks, systems, locations and criticality to continuity of operations?
Cyber Risk 7.jpg
Cybersecurity culture
Key questions:
What is the cybersecurity culture of our organization?
Knowing that the people of the organization represent the best defense against cyber threats or the greatest vulnerability, do we have a top-down culture of cybersecurity in which every leader and staff member believes he or she has a duty, a role and the power to defend patients against cyber threats?
Or is our culture of cybersecurity one that is based on compliance and data protection?
Cyber Risk 8.jpg
Risk mitigation strategy and ERM
Key questions:
Based on our overall current cyber risk profile, culture of cybersecurity and our target risk profile, what is our cyber risk mitigation strategy?
Is it integrated into an overall multidisciplinary, enterprise risk management program and governance structure?
Do we follow a particular cybersecurity framework? Why or why not?
Cyber Risk 9.jpg
Risk mitigation implementation plan
Key questions:
What is our cyber risk mitigation strategy implementation road map?
Are there specific program objectives and milestones along with a cost/risk-reduction analysis and patient safety impact review for each objective?
Cyber Risk 10.jpg
Incident response plan
Key questions:
Is our cyber incident response plan up to date?
Does it include specific individuals from all clinical and business functions and risk committees, with defined roles, responsibilities and contact information?
Is the plan regularly tested, gaps and best practices identified and updated to include current threat scenarios, such as ransomware?
Is the FBI integrated into the plan?
Cyber Risk 11.jpg
Cyber insurance
Key question:
Is our cyber insurance coverage adequate and current to cover all costs associated with a multi-day network outage, breach mitigation and recovery, reputational harm, legal and regulatory exposure?
Cyber Risk 12.jpg
Independent review
Key question:
Has an independent and objective outside expert reviewed each of the previously mentioned areas, identified gaps, validated and made recommendations?