Six cybersecurity points Healthcare CIOs should explain to their boards

The confidence your board and other stakeholders have in your organization’s cybersecurity strategy can influence decisions about prioritization of budget, resources, and reputation for your team.

Given the ever-changing threat landscape and concerning news in healthcare recently, we can see it’s difficult to get cybersecurity strategy right. What we need to make our best attempt at defending our organizations isn’t easy to determine amongst experts, and it’s even more difficult to explain and agree on with non-experts.

So, where should you begin? What follows are points that offer insight into your strategy’s rationale and comprehensiveness to develop stakeholder confidence in the plans you and your team design and support. Start by ensuring your board and other stakeholders understand these points.

1.  Your cybersecurity strategy focuses on continuity of service for many threats to system availability including cyberattack.

Much of your cybersecurity agenda will include a strategy to defend your organization from a cyberattack. Of equal importance, is focus on continuity of service and recovery procedures should the dreaded ransomware attack scenario happen to your organization. Ensure the board’s confidence in your continuity strategy by explaining:

• Critical systems protecting continuity of patient safety, revenue cycle, and other key business processes are covered by thorough business continuity and contingency of operations plans that consider impact and criticality for resuming services.
• Employee training on backup procedures is documented, thorough and current in the event your organization must resort to them until services are restored due to cyberattack or other availability disruption.
  
  

2. Your cybersecurity strategy is designed and maintained based on your organization’s threat landscape.

It’s important to include your board in the ongoing development of your cybersecurity strategy. They should understand how it was specifically designed and witness how it is continually revised to align with a risk profile informed by your organization’s threat landscape, service mix, geography, financial position, business standing, reputation, etc. Ensure the board’s confidence in your strategy by explaining:

• What’s new and next for your cybersecurity strategy. Provide quarterly updates and biannual reviews on progress and tell them why you take actions you do — because a new threat or threat actor has been identified, because of lessons learned by another organization, or because your organization’s risk profile has changed (new services offered, acquisition, or modernization, etc.). Include details about active threats from specific threat assessments and what could result if the vulnerability isn’t addressed.
• How your strategy is assessed and challenged using tactics and rationale of malicious actors. Explain how threat assessment information is directly synchronized to network security configuration practices, updated authentication mechanisms and employee training that informs users of specific tactics being leveraged by healthcare ransomware hackers to subvert your organization’s defenses.
• Recent ransomware successes, highlighting the threat actor's ability to defeat legacy or outdated technology, processes and procedures and how the cybersecurity strategy evolves the defense posture reducing attack surface and creating a higher work factor for ransomware attacks.
  
  

3. The cybersecurity basics for our organization’s patients, providers, and employees are covered.

The basics are fundamental – not easy – but they are the cornerstone of a successful cybersecurity strategy. Ensure the board’s confidence in the basics by explaining:

• How your strategic plan is revisited, challenged, and updated regularly.
• The scope of the plan including:
  • How it addresses all varieties of known threats including general and specific cyber threats to your organization.
  • How transitions such as moving infrastructure to off premises are governed.
  • How regulatory and internal compliance are ensured.
• Circumstances that instigate changes to your plan and roadmap such as newly identified and advanced threats directly targeting the organization or operational requirement changes, etc.
• The measurable successes, known areas of improvement, and the progress you have made on them.
• Organizational processes that support or are informed by your cybersecurity strategic plan such as disaster recovery, lifecycle management, technology project implementation, training, etc.
• Governance practices, how effectiveness is measured, and how new or revised practices are developed.
  
  

4. Specific threat intelligence informs approaches for safeguarding the organization.

You understand healthcare and how your organization’s successes create increased cyber risk because:

• Reported or anticipated revenue makes organizations a lucrative hacking and ransomware target.
• A positive reputation in the community increases the negative impact intended by a breach and follow on ransomware attack.
• Innovation and modernization through adoption of new technologies increases the organization’s attack surface by opening up a new range of vulnerabilities.
• The information you protect is the most valuable information of all.

Ensure the board’s confidence in your level of threat intelligence by explaining:

• Your awareness of existing threats, the extent to which your organization could be targeted, and how you stay vigilant.
• The aggressive posture of your cybersecurity strategy and its ability to counter the sophisticated capabilities of malicious cyber actors.
• Your organization’s adaptive and active defenses for responding to current and emerging threats.
  
  

5. As our organization modernizes technology, we can rely on our established risk and vulnerability management capabilities.

You are aware of key points in a modernization effort that increases your cyber risk by way of involving new vendors, incorporating new devices, extending your existing infrastructure, and more. Ensure the board’s confidence in your vulnerability management strategy by explaining:

• Your internal processes reliably assess risk and identify gaps for your modernization and migration projects including artificial intelligence capabilities, third parties, regulatory requirements, and cloud environments.
• Your deployment efforts are coordinated with specific transition criteria and align with risk management framework that manages risk profile change for technology and its users.
• Your risk management framework evaluates best practices that increase both security and compliance for the modernization efforts at your organization.
  
  

6. Our organization has a solid approach to identifying and addressing evolving vulnerabilities.

Malicious actors will use the element of surprise to their advantage. If your organization is on constant watch for risky behaviors and removing the attacker's reconnaissance edge (ex: publicly accessible contact information for staff at your facility), you reduce the attack surface and risk of leaking credentials or making it easier to assume a legitimate person’s identity for malice at your organization. Addressing vulnerabilities can range from behavior training to programmatic preventions, and the threat landscape of today demands them all. Ensure the board’s confidence in your evolving threat and vulnerability identification methods by explaining:

• Your training program focuses on safe information security behaviors and knowledge testing practices occur regularly with follow up training and/or rewards depending on the user’s response to phishing tests, etc.
• Your IT team relies on trusted resources and regular training offered by a certified source to stay at heightened awareness of current and emerging threats.
• Your IT team has experience, access, and resources for challenging your current approach and modifying as vulnerabilities are identified.
• Your network monitoring tools are as sophisticated as the malicious actors and the tactics they use.
• Your organization does an annual specified threat assessment to identify the organization’s cybersecurity blind spots only seen by assessing external network boundary elements. Without this point of view, cyber defenders and decision makers are only seeing half of the defense picture.

The cybersecurity space is as complicated and dark as it is described. The malicious actors of today are determined and sophisticated. Staying a step ahead takes technical savvy and awareness of your organization’s specific risk factors. Malicious actors in healthcare have one goal in mind – to host a ransomware attack on an organization like yours. You need stakeholder confidence to ensure you have the resources required to sustain the cybersecurity approach that is best for your organization. The right insight, talking points, and awareness can help garner the support you need.

About CereCore

CereCore® provides IT services that make it easier for hospitals and healthcare systems to focus on supporting hospital operations and transforming healthcare through technology. We partner with clients to extend their team through comprehensive IT staffing and application support, technical professional and managed services, IT advisory services, and EHR consulting, because we know firsthand the power that integrated technology has on patient care and communities.