Healthcare systems and hospitals are in the business of saving lives. As such, their budgets prioritize staff, programs and equipment that are directly related to that goal. Consequently, cybersecurity tends to rank much further down on the long list of competing demands.
Yet that may be beginning to change. Instead of using the fear of threats and adversaries to make the case to prioritize cybersecurity in healthcare, some creative problems solvers are nesting security goals with healthcare priorities.
It’s an intriguing notion, so we set out to look for statements and viewpoints by healthcare security professionals along these lines in the public domain. What we found follows below.
1) Align cybersecurity with patient safety
The healthcare community has underinvested in cybersecurity for a long time. A long list of high profile and costly security incidents in healthcare hasn’t persuaded the top brass to invest more either. To make the case, security pros working in healthcare may do well to tap into the culture.
“Cybersecurity is, like it or not, a primary component of patient safety now. Forget confidentiality breaches. That battle is already lost several times over, the new battle lines are over availability – resiliency to withstand an attack – and the integrity of health data.”
“To beef up your security program, you have to solve the human behavior problem. That means turning the culture upside down and thinking about security as aggressively as many hospitals focus on handwashing. That same effort has to be there for every employee.”
Sources: Richard Staynings, chief security strategist, Cyber Associates, and a HIMSS Cybersecurity Committee member; and David Chou, VP and principal analyst, Constellation Research; Why information security should be every hospital CEO’s No. 2 priority (at least right now) by Tom Sullivan in Healthcare IT News.
2) System patches and updates are like preventative medicine
One of the most predominate terms in cybersecurity recognized in the consumer lexicon was the word “virus.” It’s an analogy that could help the healthcare community understand the relationship between patient safety and cybersecurity:
“When a caregiver gives care, they must be current on flu shots and vaccines. It’s not an option. It’s a condition of employment. It means that the caregiver is protected to the best ability that we can. In the cyber world, it’s the same. Your networks, laptops and servers, how are you protecting them?”
Source: Karl West, CISO, Intermountain Healthcare; Intermountain CISO West: Cybersecurity for revenue cycle should be a KPI by Beth Jones Sanborn in Healthcare Finance.
3) The changing role of the CISO in healthcare
The role of the CISO has evolved over time. Business skills, particularly the ability to translate the effects of technology into the language of business, so the C-Suite and board of directors can understand. One CISO in healthcare categorizes the role into three areas – technical skills, focus (prevention and detection), and business communications.
“It’s important to have a solid technical background but as recent years have shown, having a strategic, balanced approach to security is extremely important. It is critical to understand your organization’s threat landscape.”
Prevention and detection:
“Cyber threats in healthcare are real and spending your time focusing on how to prevent as well as detect [them] is critical. While I spend a large portion of my time working through our risk management processes and the associated projects, it is also extremely important to focus on strategy.”
“Understanding the impact of security to healthcare providers as well as patient care is significant if you want to get engagement at all levels. I spend a lot of time taking very technical security controls and metrics and turning them into meaningful business analytics that can be discussed and balanced with business need, cost, risk appetite, etc.”
Source: Sheryl Rose, CISO and senior vice president, Catholic Health Initiatives; source: Why Catholic Health Initiatives’ CISO says awareness training is pivotal in hospital cybersecurity by Jackie Drees in Becker’s Health IT & CIO Report.
4) Understand access, infrastructure and supply chain
Many healthcare facilities were originally designed to be open. After all, the idea is to provide accessibility, particularly in times of need or urgency. That underlying philosophy may be one of the challenges in healthcare cybersecurity because it may feel to some that locking things down runs contrary to that ethos.
On limiting permissions and access:
“Healthcare systems tend to grant multiple people (e.g., students, vendors, etc.) ‘permanent access’ to various systems/networks and these permissions largely go unchecked. Healthcare organizations need to better monitor and limit who they grant IT access to as well as place time-limits on employees’ ability to access certain networks.”
On understanding the IT infrastructure:
“CISOs need to know the entire architecture of a healthcare organization’s IT environment and how it supports each line of business. They need to fully understand the environment’s technological composition and nature of all the data contained therein, the process for storage and transmission, as well as the process of all critical and sensitive data and the complete flow of data in and out of the organization.”
On the supply chain:
“CISOs need to know the security posture of their suppliers, especially where PHI is involved, and to establish and implement a comprehensive supplier risk management program.”
Source: Mark Beckmeyer, Director of IT Security, Binary Fountain; Securing healthcare organizations: The challenges CISOs face by Zeljka Zorz in Help Net Security.
5) Leadership isn’t a title or an organizational chart
Research shows that effective CISOs use “the tools of influence” – persuasion, negotiation, conflict management and communication – to “get business leaders to own risk.” Its an idea that reflected in the lesson of earning trust and influence and not relying on a position or title:
“I think the sign of really strong leadership is when you can get things done because the people around you believe in it, and they’re not doing it because they’re beholden to your title or the org chart.”
Source: Dan Bowden, CISO, Sentara Healthcare; Top 10 Cybersecurity Best Practices for Healthcare CISOs, by Fred Donovan in Health IT Security.
6) Not just diagnostic machines but connected computers
Part of the cultural challenge in healthcare is the legacy of considering many of the diagnostic tools as standalone machines. That just isn’t true anymore. The healthcare community has hurried to connect devices to share information without careful consideration of the implications on security:
“There’s also a lot of legacy equipment systems that are still in use, specifically medical devices, where they typically are meant to last 10, 15, 20 years. If you were to ask somebody in a BioMed area or a clinical area what a medical device is, they would describe it probably as some type of therapeutic or diagnostic machine that provides clinical care. If you ask me that question, I’m going to tell you it’s a computer with an operating system that is susceptible to all the same threats. That poses a lot of challenges now that we’re connecting all those devices to systems and data and it’s an Internet of Things problem.”
7) Integration of security tools and analytics
Of the existing challenges across cybersecurity also has effects felt in healthcare. Namely, the complexity of security tools – and the need for open APIs and data integration.
“We can all gain from having a better joined-up understanding of the analytics that we will hold and how that can be shared in a safe, secure and compliant way to improve all our products and services in the healthcare ecosystem.”
8) Common goals and shared understanding
Healthcare and cybersecurity may well attract some of the brightest minds, with a deep focus on complicated topics. Even experts in their field can work better together by keeping the common goals – like patient safety – in mind.
“What we really need to do is understand that most people are really trying to do the right thing from their perspective – it may be patient care, it may be delivering services, and … we start talking past each other. [We need to] try to promote good practices, try to help enable the mission goals and get everybody into a shared mindset rather than talking past each other.”
Source: Bruce McCulley, CISO, Department of Health and Human Services Office of the Inspector General; Improving Fed Healthcare Cybersecurity Starts With Building Bigger Table in MeriTalk.
* * *
If you enjoyed this post, you might also like:
Leadership, Culture and Business Savvy: 13 Big Cybersecurity Ideas for the CISO by CISOs