3 critical steps to improve cybersecurity
Recent cyberattacks have ensured that the security spotlight on healthcare organizations shines ever brighter. The seeds of threat seem to have proliferated after a number of successful ransomware attacks.
An aging infrastructure, and the anonymity of digital currencies have just been a couple of the drivers that have fueled the threats. Accenture’s latest research shows that cyber attacks on the U.S. health systems over the next five years will put nearly $305 billion of cumulative lifetime patient revenue at risk.
Until recently, organizations were hesitant to make security a boardroom priority, either because the business case just wasn’t there, or market and regulatory headwinds deprioritized a revamped security program. The winds are changing, however, and now health executives and IT leadership are prioritizing security in a way we haven’t seen before.
It’s getting to the “left of bang,” a term that originated in the theater of war, and it refers to handling the situation before an IED detonates using pre-incident intelligence, versus merely investigating and recovering from the incident after the fact. When you think about it, “left of bang” is an apt descriptor for a proactive cybersecurity strategy.
Here are three critical steps healthcare organizations can take to get “left of bang” on cybersecurity:
Assign the right leader. For organizations that rely on information systems (nearly all in today’s digital economy), the common leadership component that is often missing is the appointment of a Chief Information Security Officer (CISO). Sometimes CIOs or CFOs are charged with carrying out this function as an ancillary duty, usually when already overloaded with their core job functions. The best question to ask pre-cyber incident is who was responsible for handling our cyber security safeguards? In other words, who is responsible for managing the strategy to raise our organization’s cyber shields by deploying best-practice hardware and software, delivering user awareness training and establishing a culture of security? If the answer is more than one person, or no one, hire a CISO.
Choose your vendors wisely. Vendors in the cybersecurity space can either be your best friend or your worst adversary. If you consider several recent breaches in the commercial sector, you will notice that, in many cases, vendors were the conduit for adversaries to access critical cyber systems and ultimately carry out a successful cyber intrusion. To avoid this scenario, the first stage of selecting a vendor should be a survey and self-attestation request, for vendors to adequately show you they are implementing their own cybersecurity best practices. In other words, do they have skin in the game, and are they “putting their money where their mouth is” regarding their own cyber security infrastructure.
Move to the cloud. Health IT professionals face the tricky task of managing execution on multiple clinical application deployments, including population health tools, and all the while trying to balance infrastructure requirements to protect their organizations against the latest threats. Now is clearly the time for healthcare executives to consider moving their overstretched IT resources closer to the business and their consumers. Moving key components of their IT architecture to the cloud can provide for a better security and governance apparatus. Of course, moving Protected Health Information (PHI) into the cloud can be daunting, but the challenges are by no means insurmountable, and most cloud vendors have thoroughly understood and support PHI security requirements. Health IT leaders should closely question the premise that on-site infrastructure is automatically more secure. While a cloud infrastructure alone isn’t a complete response, it is one that will free up key IT resources to work on other parts of a modern security framework.
With the recent proliferation of high-profile ransomware infections in the news, healthcare facilities have begun to take some necessary—and sometimes draconian—steps to control risks in the cyberspace domain. From disabling external access to web-based email, blocking external entities from sending to internal email servers, to turning off information technology assets on the threat of possible intrusion, often reverting to paper processing and charting – these are common tactics.
It is still the wild, Wild West once you leave the safety of your corporate firewall, and high time for the health industry to self-subscribe some much needed cyber prophylaxis.
The steps outlined above are by no means a panacea, but they are important first steps in developing a proactive cybersecurity strategy that goes beyond basic block-and-tackle maneuvers to ensure that judicious measures are taken to prevent costly attacks before they occur.
Lance Larson, Assistant Director of Homeland Security Graduate Program, San Diego State University, contributed to this article.