I hear, and personally experience instances where the insurance company does not understand (or at least can explain to us…
Readers Write: Project or Program: Why It’s Time to Rethink Your Approach to Cyber Risk Management
Project or Program: Why It’s Time to Rethink Your Approach to Cyber Risk Management
By Jon Moore
Jon Moore, MS, JD is chief risk officer and SVP of consulting services for Clearwater of Nashville, TN.
The modern healthcare enterprise constantly expands with new technologies, services, and devices. Still, few have a reliable process to ensure that these new additions meet their cybersecurity standards or are added to their risk analysis. Most do a point-in-time risk analysis or conduct their risk analysis using only a sample of their information assets, or worse, both.
Point-in-time risk analysis in a complex healthcare organization will be outdated nearly as soon as it is completed. Sampling information assets is risky. Any number of assets outside the sample could threaten an organization.
A firewall is not enough to protect an asset, system, or network. Effective, compliant cyber risk management is not just about implementing and protecting the electronic health records (EHR) system.
Today’s cyber risk management should be comprehensive, including all aspects of daily operations and supporting systems, evaluating applications and systems both on-site and in the cloud. That can be challenging for even the best teams to manage and even more difficult for smaller organizations where access to skilled professionals, risk landscape intelligence, and financial re sources can be hard to come by. It’s further complicated in mid-size to larger healthcare organizations, where technologies, software, applications, and configurations can vary from location to location and sometimes from department to department.
Without accurate, up-to-date asset, software, and system inventories, a team can quickly fall into siloed risk management practices that focus on the known, leaving security gaps with the unknown.
Adding more challenges to the mix is the growing third-party risk that healthcare organizations face as their vendor and partner lists grow, especially in new applications or devices that streamline patient care. Owensboro Health CISO Jackie Mattingly recently spoke about the challenges in keeping up with vendors, systems, and programs that are brought into the organization by various departments. “Most of these major EHR systems have a pretty good grip on security for their systems. We use Epic, and they have things pretty well buckled up,” Mattingly said. “They’ll notify us if they detect an incident, but the many other ancillary systems we use pose a greater threat. You have to assess risk across the enterprise.”
A recently released Cyber Readiness Report found that some 74% of healthcare organizations haven’t yet implemented comprehensive software supply chain risk management policies. The report noted that more than 90% of respondents struggled to measure and implement software supply chain risk management policies in healthcare. That should be alarming considering the number of successful healthcare breaches recently resulting from vulnerabilities in third-party software solutions.
While forward-looking security teams are trying to keep pace with healthcare innovation and the adoption of new technologies, it’s important to remember that the data in legacy systems may also be at risk. Late last year, a healthcare organization in Canada discovered a breach that could have affected data dating back to 1996. Although its EHR appears unscathed, data was taken from legacy administrative systems like those used for reporting and patient satisfaction surveying. The breach affected 13 different but overlapping data categories, such as medical and other information, and impacted others, such as an affiliated non-profit that purchases IT services and file storage from the core agency.
If you’re still approaching cyber risk as an annual project or initiative, it’s time to rethink this approach. While nothing can guarantee that a cyberattack won’t become a breach, having a comprehensive ongoing program in place means that even in the worst-case scenario, you’ll be prepared to show that you did what was reasonable and appropriate to protect your systems and patient data. This goes a long way when the Office for Civil Rights investigates a breach or audits your organization. It can save you countless hours, resources, and money by resulting in a short investigation and more favorable determination.
Unsure of where to begin? Consider:
- Adopting reasonable and appropriate security controls across all of your information assets. Be sure to account for the legacy data you may have in storage somewhere. It needs protection, too.
- Employing identity and access management processes that limit access to patient data to only what is needed for an employee to perform their job.
- Segmenting your network as appropriate to reduce the ability of threat actors to move laterally through networks and systems.
- Using a risk management software solution to power an ongoing risk assessment and risk management program so you always know where your risks are and how to address them
- Working with an expert to develop a comprehensive risk management program for your organization, including seeking out program weaknesses and making plans to mature it over time.
Program with projects that support it. I have used this approach for longer than I care to admit in public, however, it works. Then of course within the program it should have response playbooks with resources ready to go when the worst happens.
AND
Ensure the board knows and understands the risks and the program and the progress. This is how the program gets funded and hopefully is not cut in tough financial times.
Like now.