Most people and most organizations overestimate their cybersecurity readiness. It’s natural to do. No one wants to admit that they are not ready, right? While not admitting that you don’t truly know how ready you are or aren’t ready may seem acceptable publicly, internally it is not. No matter who your stakeholders are, be they customers, patients, staff, partners, shareholders, the bank, the community, etc., you can bet they expect that you not only know how ready you are to deal with cyber incidents, but they expect you to continuously review your readiness posture. Why? It’s real simple. Because they are relying on you to be there when they need you. There is no rocket science here. It's a simple matter of trust. We all assume, no actually we expect that our healthcare provider is “there” when we need them. So it is important that each and every provider and the service organizations supporting those providers take a look in the mirror and assess how they are doing from a cybersecurity perspective. This is true for providers and third parties of all sizes as cyber criminals do not discriminate based on size or whether an organization has the resources to defend itself.
The first step in understanding cyber-readiness is understanding one’s organization’s risk posture. More than 70 percent of healthcare organizations across the country have adopted the NIST Common Security Framework (CSF) to assist them in building and evaluating their cybersecurity programs. The CSF, like all other industry frameworks, references as one of its first requirements the completion of a thorough risk assessment. Even HIPAA got this one right by requiring an enterprise risk analysis as the first step towards compliance. A properly performed risk analysis not only identifies where we may have vulnerability, but it also helps inform our selection and provision of controls which are the building blocks of our program. Without a risk assessment we could potentially spend too much or too little on security and have gaps we’re not aware of. In my 40 years of involvement with information security, risk assessment has always been the first step to building appropriate protections for the network, systems and information.
The recent recommendation by the American Medical Association (AMA) to the Department of Health and Human Services (HHS) to do away with the risk assessment requirement for providers was received with such astonishment. Could the AMA really be that clueless regarding the importance of determining risk to patient information and systems supporting healthcare operations in 2018? I think the term used most accurately to describe their recommendation was in fact ridiculous. No one is naïve to the fact that all of the regulatory compliance around HIPAA is a huge cost to small providers and difficult for many of them to manage. But let’s separate the need for compliance from the need for cybersecurity for a second. Small businesses are a far bigger target today for hackers than ever before, and any business regardless of size that is connected to the Internet is susceptible to all the same threats. You simply cannot ignore this threat and the risks it poses to the business, or in this case the practice, without consequence. So even if HIPAA didn’t exist, the AMA’s recommendations are ill-advised. Businesses large and small need to know what risks they face, and conducting a proper risk assessment is how you accomplish that.
Next, we need to put this knowledge to work for the organization by addressing gaps in controls and defenses identified from that risk analysis as it relates to the business. It’s true we can never really anticipate every situation or threat that is out there, especially the ones not known yet, but we can do a better job of what we call cyber hygiene. The practice of managing the enterprise more responsibly. Employing best practice around how we build systems, configure systems, make changes, apply patches, control access, etc. Investing in the technology and services necessary to provide adequate protection for critical assets. Think in terms of people, information, technology and facilities. There is a new tool recently developed by the SEC and DHS that helps to express cyber risk in terms of impacts to the business. The Cybersecurity Resilience Review (CRR) takes the NIST CSF and redefines it in terms of risks to the business from cybersecurity incidents.
Finally, understanding and impoving readiness is embodied in rapid incident response. When incidents occur, and they will, the biggest enemy that organizations have is the time it takes to identify, react and respond and a lack of organization. Effective response does not happen without resources, detailed planning, exercise and discipline. When a cyber event happens, an organization’s detection capabilities are what provide early alert, hopefully reducing the time the attacker has to do harm or the malware has to spread, but it's the organization’s ability to react quickly that allows it to identify, isolate and stop the attack, and then begin the process of recovery. It's the incident response planning that permits this, the scripting of run books, the up-to-date inventories of assets, the backups of systems and data, the documented roles and responsibilities that are practiced and understood and the organizations resolve to act swiftly. Incident response needs to be thought through carefully, documented and practiced over and over again for this to be possible. This too is a part of today’s digitized, automated and hyperconnected business environment. There is an old saying, “those that fail to plan, plan to fail” , but planning is not adequate alone when dealing with cyber events. The saying needs to be amended, “those who fail to commit, fail to plan, fail to practice…will fail.” When this happens confidence in the business is shaken and the person we least want to let down, the patient, could be affected.
Understanding readiness for cyber events is a critical business requirement for all organizations regardless of size. Performing risk assessments, implementing controls and proper protections and having a solid well planned and practiced incident response capability are critical twenty-first century business requirements for anyone whose business relies on data and information systems. And whether you are a group practice or a large health system, knowing your cybersecurity resilience is important.
Mac McMillan is founder and CEO of the Austin, Texas-based CynergisTek consulting firm.