Getty Images/iStockphoto
6 Healthcare Cybersecurity, Operational Strategies For Successful CISOs
Mastering effective communication, implementing a risk-based healthcare cybersecurity approach, and attracting top cyber talent are all parts of a CISO’s job description.
Data breaches and cyberattacks are overwhelming healthcare. Ransomware and phishing attacks are still hurting the sector, even as healthcare organizations work tirelessly to prioritize cybersecurity. Organizations are investing in cybersecurity solutions more than ever, but many have yet to see a return on those investments.
Against this backdrop, the job description for a chief information security officer (CISO) in healthcare is ever-changing. One day, you might be developing incident response plans. The next day, you could be purchasing new products to enhance your organization’s security posture. The following day, you may have to respond to an attempted ransomware attack.
Above all else, it is the CISO’s job to advocate for and be the voice of cybersecurity within their organization. Doing so requires a combination of the right tools and strategies, from communicating effectively with the C-suite to attracting top cyber talent and knowing when to bring in outside help.
Effectively Communicating Cyber Risk
“You have to talk about cybersecurity in the same language that the healthcare delivery organization speaks,” Carl Wright, chief commercial officer at AttackIQ, told HealthITSecurity in an interview.
“They talk about populations. This disease affects this population. Well, this risk to the organization affects this population of capabilities that we have in the healthcare delivery organization. So, the first part of this is aligning the lexicon that you speak with the business that you serve.”
Communicating cyber risks effectively means framing them as the business risks that they truly are.
For example, CISOs could present data to C-suite executives about the cost of a data breach, or the impacts it may have on care delivery.
Healthcare data breaches cost an average of $10.1 million per incident last year, IBM Security found in the 2022 edition of its “Cost of a Data Breach Report.” The figure signified a 9.4 percent increase from the 2021 report and a 41.6 percent increase from 2020. For the 12th consecutive year, the healthcare sector suffered the most expensive data breach costs compared to any other industry examined in the report.
This data shows the significant financial toll that a data breach can have on a healthcare organization. Aside from financial impacts, data breaches may also impact care delivery and patient safety by forcing systems into downtime and delaying access to critical data.
Helping the C-suite understand the cyber ecosystem and collaborating on cybersecurity efforts across the organization is crucial to expanding cyber budgets and reducing risk across the board.
Taking a Risk-Based Approach
In addition to effective communication, incoming healthcare CISOs must realize that they are working in an industry that, in the past, has notoriously under-funded cybersecurity.
While this problem is lessening as cybersecurity risks become more prevalent to healthcare executives, knowing how to make careful investments based on high-priority risks with a limited budget is still essential. One way to combat budget constraints is to take a thoughtful, risk-based security approach.
“There are all these threats out there. You can't spend money to combat all the threats. So, you should combat the ones that matter to your organization,” Wright explained. “This means you have to be threat-informed.”
A risk-based approach first involves a thoughtful assessment of the security risks in an organization’s environment. Next, CISOs and their teams should conduct pen tests to identify vulnerabilities and evaluate all key assets.
These assessments and tests will help healthcare CISOs determine key areas of focus. From there, they can make decisions about how to respond to each risk, whether that means keeping an eye on it from afar or terminating it immediately because it poses direct threats to the organization’s security posture.
Attracting Top Cyber Talent
The ongoing cybersecurity workforce shortage is a problem that spans all sectors, not just healthcare. A survey conducted by (ISC)² found that while the cybersecurity workforce gap narrowed for the second consecutive year, the global workforce still must grow by 65 percent to defend critical assets effectively.
“Healthcare delivery organizations don't have an unlimited amount of dollars, and they're not always as competitive as they could be with everybody else,” Wright reasoned.
While it is hard to compete with large tech companies that have bigger budgets, healthcare organizations can still attract cyber talent in other ways. Wright recommended that organizations offer “career pathing” opportunities, which show prospective employees that they can advance their careers over time.
Giving employees a chance to continuously improve their skills and work their way up is a great way to attract cyber talent and support the growth of your employees.
“Every quarter now, there is this big cyber event, and the reality is our operational template is very high and we're constantly in the fight,” Wright said.
“And because of that, we're not planning as well as we should. We need to plan for our people.”
Bringing in Outside Help
As all CISOs know, security is not a one-person job. Effective cybersecurity requires collaboration across the business and beyond. While managing risk internally with a solid cybersecurity architecture is essential, knowing when to outsource security tasks is also vital to success.
If your organization lacks internal resources for some necessary capabilities, Wright suggested, bringing in outside vendors can help ease that burden.
“You're not outsourcing your brain. You're still owning and operating and defending, but you're bringing some people in to help you augment some scope gaps that you may have,” Wright explained. “And hopefully, over time, you can fill those gaps.”
According to CyberDB, there are more than 3,500 cybersecurity vendors in the US market at the moment. Healthcare organizations have no shortage of vendors to choose from, but CISOs should always select their business partners carefully.
Aside from considering the security risks that come along with trusting a vendor with sensitive information, CISOs should also make sure that they are getting a return on their investments (ROI) and are not investing in duplicative efforts that just add complexity without reducing risk.
Making careful procurement decisions and working alongside trustworthy vendors is essential to safeguarding protected health information (PHI) and maintaining enterprise-wide security. Evaluating vendor contracts with care and tracking ROI can help organizations get the most out of vendor relationships.
Taking Advantage of Community Resources
Even with budget restrictions, there are numerous ways that healthcare CISOs can enhance their organization’s security posture for free or at a minimal cost.
Industry groups often release helpful white papers to guide cybersecurity leaders. For example, Health Information Sharing and Analysis Center (Health-ISAC) released a white paper specifically to help healthcare CISOs understand and implement zero trust security strategies.
The Cloud Security Alliance (CSA) regularly releases guidance, including a recent report aimed at helping organizations address healthcare supply chain security. The National Institute of Standards and Technology (NIST) recently updated its healthcare cybersecurity and HIPAA Security Rule guidance, and the HHS Health Sector Cybersecurity Coordination Center (HC3) regularly releases briefs covering the latest threats.
Wright noted the usefulness of MITRE ATT&CK, a free and global knowledge base of observed adversary behavior that can be used to inform security models. In addition, although not free, Wright noted the importance of sending cybersecurity professionals to industry events such as the annual RSA Conference.
“It’s expensive, and it is a week away from work,” Wright acknowledged, but the knowledge gained by learning tips and tricks from fellow industry experts and building a community is invaluable.
“These are all opportunities for them to up-level their game, and again, help retain employees and get their more knowledge skills involved.”
Focusing on Operational Excellence
Tying in all the previously discussed concepts, achieving overall operational excellence is the ideal state to strive for. Security is always a work in progress. But managing to harmonize functions across the business, even in the face of emerging cyber threats, is a big step toward maintaining healthcare cybersecurity and compliance.
“The reality is that we are spending a lot of money, but when we go to sleep at night, we don't know if we're good,” Wright reasoned.
Striving for operational excellence essentially means that organizations are focused on improving the efficacy and efficiency of their business processes in order to make sure that expectations are met and the business can run smoothly.
Focusing on key performance indicators, investing in employees’ career growth, and communicating effectively are all core tenets of operational excellence. Building off those tenets, healthcare CISOs can establish feedback loops and continually measure their success, contributing to a robust and comprehensive security architecture.