Skip to content Skip to navigation

The Right Way to Present a Business Case for Cybersecurity

August 19, 2016
by Bob Chaput, CEO, Clearwater Compliance
| Reprints

There’s an ever-increasing number of threats to healthcare information.  Healthcare information is more valuable and visible than ever; and, at the same time, more vulnerable than ever.  You feel responsible and, as the CISO, you are responsible for its security.  Conducting a comprehensive, bona fide risk assessment can be an effective first step in building credibility with the executive team and board and, therefore, in building a business case for cybersecurity investments in your organizations.  In addition to conducting the risk assessment, you should:

  • Find a sponsor on the executive team to use as a sounding board on risk appetite, sufficiency and understandability of supporting information and recommendations on mitigating risks.
  • Build a cross-functional team to help identify and respond to threats and vulnerabilities to include representatives from any function that has access to protected health information (PHI) or is involved in procedures for providing or terminating access to PHI.
  • Change the technology language you and your team use from “compliance and information security” to “patient safety and quality of care” – these words will resonate more with CEOs and other functional leaders you’ll want on your side.   

In order to get the funds needed to shore up an information security program, CISOs need to develop a comprehensive and compelling business case for doing so. Consider the following steps:

  1. Conduct a comprehensive, bona fide risk analysis of all assets that create, receive, maintain or transmit ePHI.

Examine all the threats and vulnerabilities to those assets and underlying media, assess the ability of the controls in place to minimize exploitation. Identify the media where the PHI “lives,” for example, laptops, desktops, servers, back-up tapes, flash drives.  Detail the threats to that media, for example, environmental threats like hurricanes; structural threats like power outages; accidental threats like errant of misdirected emails; and intentional threats like ransomware attacks.  Bona fide, comprehensive risk analysis considers numerous “asset-threat-vulnerability” combinations.

  1. Rate each risk in terms of the likelihood of a compromise of the confidentiality, integrity or availability of the information.

By using a scale from 1 to 5 (5 being the highest likelihood), you can begin the risk-ranking process.  There are a number of data sources that you might use to assess the likelihood of a compromise:

  • Threats and Threat Sources
    • Data from the Health and Human Services (HHS) website listing all reported breaches of 500 or more records. Examine what threats have exploited what vulnerabilities that may exist in your own environment.  As of June 23, 2016, 20 percent of the breaches of 500 records or more reported on the HHS website this year are attributed to hospitals, clinics and health systems.  Thirty-seven percent of those breaches were due to hacking or IT incidents: email (6), network server (1), and desktop computers (3). 
    • Information from other best practice websites and sources regarding emerging threats and vulnerabilities.
    • Security or privacy incidents that have been reported in your own organization may identify threats that have not yet been addressed.
  • Vulnerabilities—among many potential weaknesses in controls, consider
    • Insufficiently documented and enforced policies and procedures
    • Lack of practices regarding system back-up, workforce access, updating patching
    • Undocumented of untested disaster recovery and business interruption plans
    • Limited and ineffective workforce training and security awareness programs
  • Controls
    • Typically categorized as administrative, physical and technical, control sets can be found in sources such as:
      • NIST 800-53
      • ISO 27001
      • CCS CSC
  1. Rate each risk in terms of the impact of a compromise of the confidentiality, integrity or availability of the information.  Think of impact in terms of loss or harm.

There are basically two ways you can calculate by impact of a breach: