You’re the CISO of a healthcare organization and you just sat through an amazing sales presentation by one of your security vendors. You are considering cutting a PO to purchase that new security tool. You’ve been thinking for some time about purchasing tools to close security gaps that you’re aware of and this particular tool appears to address a critical area of weakness in your information security program.
At the same time, you’ve got limited resources for addressing your healthcare organization’s cybersecurity risk. You experience ongoing challenges around finding and retaining IT staff with expertise in information risk management. You know you’ll need staff resources to implement that new security tool, but your IT budget never stretches quite far enough to cover all of your organization’s technology needs, let alone managing cybersecurity risk.
Healthcare security leaders are often tempted to buy the “shiny new object” that promises to be the panacea to their most pressing security problems. Perhaps an audit or assessment highlighted the gap and executive management jumped all over it. Perhaps a breach or security incident became a compelling event, and the vendor’s new tool looks like a silver bullet. Vendors often encourage this line of thinking, being only too happy to make another sale.
Though new security tools can be tempting, their purchase is sometimes the result of a myopic focus on a single critical area of weakness or vulnerability. Yet the vast majority of healthcare organizations have many security gaps, spread over a wide range of areas. This is true regardless of the size of an organization’s dedicated IT staff or their information risk management budget.
When a shiny new security tool attracts your attention, how do you determine whether or not this is the best use of your resources? How do you make the case to your Board that purchasing this particular tool should be your organization’s number one priority?
The Changing Cyber Risk Landscape
All too often, healthcare security leaders are put in the position of simply reacting to the latest, headline-grabbing cyber security threats. A short time ago, cyber attackers seemed mostly intent on hacking into healthcare networks in order to steal patient data and sell it on the black market. The consequences of a data breach are far-reaching, including a loss of customer trust, penalties and settlement fees imposed by the Office for Civil Rights (OCR) for HIPAA violations, and the cost of remediation measures. A recent Ponemon Institute report estimates the average total cost of a data breach at $3.86 million. As a result, stakeholders including Board of Trustees members and consumers clamor for assurance that their healthcare providers have tools and strategies in place to prevent data breaches.
But even as data breaches continue to pose a real threat to healthcare organizations, new threats have emerged. Ransomware attacks on healthcare organizations have turned out to be just as lucrative for cyber criminals, if not more so, than selling healthcare records on the black market. The impacts of last year’s WannaCry ransomware attacks have continued to play out in healthcare organizations in the U.S. and in the U.K.
WannaCry compromised IT system availability in order to shake down healthcare providers for ransom money. But other types of emerging malware attacks – such as NotPetya – pretend to be ransomware while actually destroying critical systems and data. The increase in cyberattacks that target system availability have made IT system availability and resiliency the new cybersecurity mantra.
At the same time, new attack surfaces in healthcare organizations are attracting the attention of hackers. Network-attached medical devices – think Internet of Things (IoT) – are just as susceptible to malware and ransomware attacks as other, more traditional targets, such as the enterprise data center.
All this means that cyber risk management in a healthcare organization is a continually moving target. Cyber attackers’ motives, strategies and targets evolve quickly. By the time a new security tool comes on the market, a different threat has emerged, requiring a different approach to risk mitigation.
Given the constantly changing cyber security threat landscape, how is a CISO to respond? Is there a better way to protect your organization than being swayed by the latest, greatest vendor presentation? Is there a better way to protect your organization than yielding to Board pressure to respond to the cyber threat du jour currently making headlines?
The Big Picture: Enterprise Cyber Risk Assessment
The good news is that there actually is a better way.
And the better news is that this “better way” not only helps your organization meet HIPAA compliance requirements, it also helps your organization develop a strategic approach to enterprise-wide information risk management. It’s a deliberate and considered approach that can help guide your organization’s information risk management purchasing decisions and will strengthen your organization’s cybersecurity posture.
It begins with an enterprise-wide cyber risk assessment.
By an enterprise-wide cyber risk assessment, I’m not referring to marking off boxes on a controls checklist. I am also not referring to your latest technical testing, security gap assessment, or pen test. I’m talking about conducting a bona fide, enterprise-wide, HIPAA-compliant, security risk assessment and analysis.
What does a HIPAA-compliant security risk assessment look like?
Stay tuned. I will explore that topic in Part 2 of this three-part blog series: Panaceas, Shiny Objects and the Importance of Managing Risk in a Healthcare Environment.
Read more in this series: