Why healthcare organizations must go beyond standards compliance, to managing security risks

This alphabet soup isn’t good for a cold — in fact, it’s more likely to send you to bed with a headache. OCR, HIPAA, HITRUST, NIST, GDPR, DEA EPCS . . . and that’s just for starters.

The U.S. healthcare environment is a high-pressure, life-impacting industry made even more complicated by a head-spinning assortment of regulatory requirements. Many of the most challenging mandates are focused on securing critical data and systems throughout the care continuum against cyber threats associated with insufficient controls, employee risks, and negligence.

And yet, simply meeting compliance requirements has been shown through high-profile breaches to be insufficient in adequately safeguarding the healthcare organization. Of course, every organization in any industry faces significant risks to brand, financials and even viability when faced with a major breach. However, in healthcare, we see the additive threat of discontinuity of patient care, which can and has cost lives. For these reasons, it is essential to structure the cyber security program to proactively manage cyber security risks—and by comprehensively managing risk, organizations can meet compliance requirements and improve their overall security posture in parallel.

As it should be, healthcare organizations’ number one priority is patient care. In the effort to continually evolve to higher levels of diagnostic accuracy, information sharing across practitioners and facilities, patient communication, and internal operational efficiency, technology has advanced dramatically, creating better outcomes for patients. This has also produced increasing amounts of digital data and IT complexity, expanding the attack surface. While certainly the technological advancements constitute very positive news for delivering a higher quality of care, healthcare organizations often lack the internal cybersecurity talent to evolve their cyber security programs in tandem with their technological and IT evolutions.

To better manage cyber security risk, there are key questions we like to pose to healthcare organizations (or suggest they ask themselves these questions) to help bring their programs to a higher maturity level, managing risk beyond compliance. These questions include:

• Do you know what information assets you have, where they’re located and the criticality of each? Are they protected according to your business objectives?
Effective information security is founded on a clear definition and understanding of the business value and sensitivity of an organization’s information assets, where they are located, and their transactional pathways. With this mapped out clearly, you can apply the appropriate level of security protection mechanisms to match the needs of those assets. Asset inventory, valuation, and classification together comprise a key foundation to an effective security program—and it is in alignment with a few industry security standards and frameworks (e.g., ISO-27001, HITRUST, NIST Cybersecurity Framework).

• Are your business associates providing proof of compliance and security for protecting your critical information? How are you managing assessment and oversight of third-party vendors?
Proof of compliance is not equal to proof of effective security. We have recently seen organizations that have met compliance obligations but have been victims of security breaches. While statutory or regulatory compliance (e.g., HITRUST) is very important, it is equally important to ask your business associates for proof of effective security. Both objectives are met through the combination of an annual compliance attestation from an independent third party and an effective third-party security risk assessment. We recommend obtaining tangible proof of these forms of security rigor.

• How confident are you that your organization can continue to operate while under cyber-attack? What is your disaster recovery plan? Do you test your incident response plan regularly?
Organizations often address incident response and disaster recovery in terms of possible events/scenarios and how they will respond to these, should they occur. The problem with this approach is that when an organization encounters one that does not fit one of the pre-conceived scenarios, there is no plan, and a “best efforts” approach with whatever is available after the disruptive event becomes the only choice. A more effective approach is to address incident response and disaster recovery in terms of how to avail the people, business processes, technology assets, equipment, and third-party services essential for the organization to operate. Regardless of the event, these are the organizational resources that are needed to continue business—and organizations can therefore test their incident response and disaster recovery plans over as many scenarios as possible (e.g., cyber-attack, terrorism, third-party service failure, pandemic), and can close detected gaps/weaknesses over time. This sets a path toward achieving business resilience.

• Is your organization participating in data security/breach/threat intelligence information sharing programs offered by HITRUST and NH-ISAC? Do you know how to apply that intelligence to your organization’s risk mitigation efforts and security needs?
Knowledge is power; and the world is very dynamic in terms of technological innovations and consequent changes in organizational processes and human behavior. As a result, it is highly recommended that your organization participate in the data security/breach/threat intelligence information sharing programs offered by HITRUST and NH-ISAC. There is a lot to gain from sharing information, which helps to advance your organization’s security goals and objectives. If your organization’s security program is mature and well-aligned to strategic business objectives, then learnings from these sharing programs can be integrated into it. The primary objective of an organization’s security program is to protect information assets from unauthorized access, misuse or compromise, and hence, application of learnings should support, not hinder, your program. That said, if your organization’s security program is weak, it is strategically more important to mature fundamental components of the program, and then apply learnings and subsequent enhancements incrementally, so that the primary objectives of the program are not compromised.

• Is your organization performing regular penetration testing, scanning, social engineering, enhanced monitoring and other best-practice testing activities that should be a part of a proactive cyber risk program?
Regular penetration testing, scanning, social engineering, enhanced monitoring and other best-practice testing activities are important for your organization, not only for compliance purposes, but for longer term security resilience. While technical testing alone is not sufficient for effective security in any organization, it is an important addition to a holistic approach to security management that incorporates the relevant people, process, technology components. These elements together, with embedded governance, should be the goal for every organization pursuing effective security management.

Clearly, there are countless critical details to assess, monitor, fix, and report. Addressing all of them properly requires significant investments in time, talent, and budget. Hospitals are already under pressure on all three fronts and can’t afford to grapple with steep learning curves and inexpert processes. Getting outside help for specific projects like PCI and GDPR compliance, workforce security training, medical device and IoT security, and incident response planning ensures that emerging threats and requirements are being managed in accordance with the latest intelligence and best practices.

It’s never a good idea to wait for an incident to happen. Data breaches, enforcement measures, and lawsuits waste resources, harm public trust, and tarnish reputations, not to mention risking discontinuity of care for patients. Healthcare organizations should review their security postures beyond just compliance, and if needed, not hesitate to seek the expert skills they need to sustain operations, protect patient data, and get the most out of their investments.

By Michael Addo-Yobo, Managing Principal, Cyber Risk Advisory, Coalfire

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.

 

Featured Whitepapers

Featured Webinars