The health sector’s cybersecurity focus has shifted to operational resiliency rather than “protecting everything on the network,” the chief security officer of Health-ISAC said.
Link to full article at SC Media Magazine:
For the last year, patient safety has become the focus of cybersecurity conversations in the healthcare sector, signaling a shift to creating a more resilient infrastructure. But the question remains: how can invested stakeholders effectively support struggling entities with prioritizing security to reduce impacts on patient care and morbidity?
Despite strong progress in strengthening communication between chief information security officers (CISOs) and executive leadership, the challenge remains in “overcoming the bubble,” explained Carter Groome, CEO of First Health Advisory.
The reality is that an estimated 80% of providers have the appetite, but not the budget tolerance to fully tackle what’s needed to generate the shift into more patient safety-focused measures, explained Groome.
In fact, those entities have the budget to pick one or two items to accomplish within a fiscal year. That means to actually shift into a cybersecurity strategy focused on patient safety, entities need to understand how to prioritize projects.
For Groome, entities facing similar constraints must focus on the elements that will “create the biggest impact in reducing risk to the financials, to the reputation, and to patient safety.”
“Today, within the health sector, it’s really around operational resilience,” said Errol Weiss, chief security officer of H-ISAC. “Ten years ago, it was about protecting everything on the network.”
Healthcare security leaders worked to put up firewalls, blocking everything, and working to protect all the data, he explained. But in the last two years, the mindset is now around the concept of “operational resilience.”
It’s an understanding that an entity will be breached or there will be an incident. Instead, providers are focusing on limiting the time it takes to respond during recovery and mitigating that threat to bring operations back online.
“The bad news is that the threat landscape is just getting worse,” said Weiss. It’s difficult to keep pace with cybercriminals who are motivated financially or for nation-state reasons. Combined with the continued risk posed by third parties, the threats are worsening.
Generating momentum around patient safety
The good news is that many healthcare leaders are having these critical conversations, readily communicating needs through the patient safety lens. Weiss noted that similar conversations are being held with H-ISAC members, which include a rise in cybersecurity budgets.
However, the industry is still woefully behind where they should be, Weiss explained. “But at least they’re moving in the right direction.”
All in all, from a security posture perspective, he added that healthcare leaders are trying to minimize the impact to patient care during cyber incidents.
The result is an ability to present to leadership that “it’s not about immutable backups and indicators of compromise or zero trust — it’s about patient safety,” explained Groome.
Security professionals are working to determine the threats related to the potential loss of human life, whether connected devices, cybersecurity threats, third-party management, and the like, explained Michael Parisi, vice president of adoption for HITRUST.
What’s needed is to educate hospitals, health systems, and even payers on the concept of seamlessness, which means you‘re inheriting the compliance and the security program aspects, while making it more seamless for your users, he added. The measures should allow clinicians more time to focus on delivering care.
Providers need to focus on seamlessness, Parisi noted. Rather than educating providers on needed security steps, let the clinicians focus on care and implement solutions that will enable the needed protection without creating roadblocks for providers in delivering needed care.
“You don’t need to recreate the wheel and spend all this time and effort trying to build it yourself,” said Parisi. “Use what’s already out there.”
From a business continuity standpoint, bringing in clinicians as part of the process can support the needed culture shift in enterprise buy-in for cybersecurity measures. Clinicians already view patient safety as their prime focus, demonstrating cybersecurity as a risk to those efforts is key.
“It’s critical. We don’t want to take their time away from delivering care, but we need their input to identify the potential areas of impact because we don’t know,” said Parisi. “If there is an issue, it impacts patient safety, and we are in the business of patient safety. You have to… embed it as part of your culture.”
“It’s one of the easiest things to do from a movement standpoint, but it’s getting people to listen that’s the hardest,” he added.
Communication between security leaders, boards
At the same time, security leaders must educate leadership on the playbooks and the steps needed to make needed change happen, including deciding if you’re going to pay a ransom. Groome stressed that if these decisions are made after the fact, it will cause “critical delay in getting the systems back up,” and that’s an impact on patient safety and care morbidity.
“The bigger challenge, is morbidity,” said Groome. “When you have disruption of operations, the care given is delayed, or it’s less efficient and outcomes are affected. It’s affecting thousands of people on breach, ransomware, and third-party risk events. But it’s not quantified.”
There are sentinel events out there that security leaders can already point to during these conversations, when working to secure investments for security, he explained.
Previous discussions and research has allowed for some objectivity for morbidity risks brought on by cyberattacks, which have allowed security leaders and the industry, as a whole, to say “this is a real risk to patient safety,” he added. It’s about understanding the organization’s appetite, budget, tolerance, and “where they want to be in terms of reducing risk.”
Patient safety conversations include risks to the balance sheet, other financial risks, front- and back-end risk management, compliance, and validation, while bringing those elements together to prepare “for a bad day,” Groome continued. Examining free resources like the 405d from the Department of Health and Human Services can jumpstart those decisions.
Some recommendations include two-factor authentication, multi-factor authentication, where possible, strengthening endpoint and email protections, through a lens of what’s most important and “what’s going to create the biggest reduction in risk for preventing that bad day, while simultaneously preparing for that bad day,” Groome explained.