Most people and most organizations overestimate their cybersecurity readiness. It’s natural to do. No one wants to admit that they are not ready, right? While not admitting that you don’t truly know how ready you are or aren’t ready may seem acceptable publicly, internally it is not. No matter who your stakeholders are, be they customers, patients, staff, partners, shareholders, the bank, the community, etc., you can bet they expect that you not only know how ready you are to deal with cyber incidents, but they expect you to continuously review your readiness posture. Why? It’s real simple. Because they are relying on you to be there when they need you. There is no rocket science here. It's a simple matter of trust. We all assume, no actually we expect that our healthcare provider is “there” when we need them. So it is important that each and every provider and the service organizations supporting those providers take a look in the mirror and assess how they are doing from a cybersecurity perspective. This is true for providers and third parties of all sizes as cyber criminals do not discriminate based on size or whether an organization has the resources to defend itself.
The first step in understanding cyber-readiness is understanding one’s organization’s risk posture. More than 70 percent of healthcare organizations across the country have adopted the NIST Common Security Framework (CSF) to assist them in building and evaluating their cybersecurity programs. The CSF, like all other industry frameworks, references as one of its first requirements the completion of a thorough risk assessment. Even HIPAA got this one right by requiring an enterprise risk analysis as the first step towards compliance. A properly performed risk analysis not only identifies where we may have vulnerability, but it also helps inform our selection and provision of controls which are the building blocks of our program. Without a risk assessment we could potentially spend too much or too little on security and have gaps we’re not aware of. In my 40 years of involvement with information security, risk assessment has always been the first step to building appropriate protections for the network, systems and information.
The recent recommendation by the American Medical Association (AMA) to the Department of Health and Human Services (HHS) to do away with the risk assessment requirement for providers was received with such astonishment. Could the AMA really be that clueless regarding the importance of determining risk to patient information and systems supporting healthcare operations in 2018? I think the term used most accurately to describe their recommendation was in fact ridiculous. No one is naïve to the fact that all of the regulatory compliance around HIPAA is a huge cost to small providers and difficult for many of them to manage. But let’s separate the need for compliance from the need for cybersecurity for a second. Small businesses are a far bigger target today for hackers than ever before, and any business regardless of size that is connected to the Internet is susceptible to all the same threats. You simply cannot ignore this threat and the risks it poses to the business, or in this case the practice, without consequence. So even if HIPAA didn’t exist, the AMA’s recommendations are ill-advised. Businesses large and small need to know what risks they face, and conducting a proper risk assessment is how you accomplish that.
Next, we need to put this knowledge to work for the organization by addressing gaps in controls and defenses identified from that risk analysis as it relates to the business. It’s true we can never really anticipate every situation or threat that is out there, especially the ones not known yet, but we can do a better job of what we call cyber hygiene. The practice of managing the enterprise more responsibly. Employing best practice around how we build systems, configure systems, make changes, apply patches, control access, etc. Investing in the technology and services necessary to provide adequate protection for critical assets. Think in terms of people, information, technology and facilities. There is a new tool recently developed by the SEC and DHS that helps to express cyber risk in terms of impacts to the business. The Cybersecurity Resilience Review (CRR) takes the NIST CSF and redefines it in terms of risks to the business from cybersecurity incidents.
Get the latest information on Health IT and attend other valuable sessions at this two-day Summit providing healthcare leaders with educational content, insightful debate and dialogue on the future of healthcare and technology.