What healthcare CSOs should learn from the department of defense

There are tremendous challenges in protecting our Healthcare networks while racing to rapidly innovate and digitize patient care.

This industry is an attractive and often easy target for malicious attackers as Healthcare security teams are tasked with protecting sprawling (and often outdated) legacy systems and Protected Health Information (PHI) is rich in data of great value.

It’s not as if the healthcare sector or regulating bodies are standing still against the threat. Healthcare, more so than any other industry, has undergone rapid advances in compliance and privacy requirements, ranging from HIPAA to a variety of state-level and interdepartmental initiatives. But at a technical level, few specific healthcare guidelines for training and readiness exist beyond compliance checklists.

In the same manner that the most advanced medical treatments require dedicated and thoroughly trained professionals to diagnose, implement and navigate care with human patients—so does cybersecurity. Industry analysts, such as Gartner agree and advocate moving toward “people-centric security”. This approach lessens an organizations’ reliance on a massive stack of tools and a compliance checkbox mentality in favor of a more powerful human element in fending off attacks and reducing security errors.

In my work with the Department of Defense and Military cyber defense teams, I’ve found this approach to be the most successful as well. Healthcare CISO and CSOs can follow in the governments footsteps by using these best practices:

Identify for cyber relevant key terrain

To be successful in this minefield of vulnerabilities, healthcare executives need to make the key policy choices. It’s all about risk – identifying it, understanding it, and managing the cyber risk to each area of health operations (e.g., essential medicines, primary care delivery, health insurance), and then training the cyber defense team to mitigate risk for each. You can’t just turn the computers off and shut your door, nor can you defend everything in your enterprise in a uniform way. By knowing the cyber relevant key terrain, the CISO can balance the needs of the operations appropriately with the risk and reduce the attack area.

Train and operate as TEAMS

We can’t just have individuals, no matter how skilled they are, looking at data and responding to events successfully any more than we can put a group of individuals on a soccer field and tell them to “just win”. The team approach to cyber readiness requires definitive team roles, tactics, techniques, and procedures, as well as consistent training in order to execute. Traditional training methods are often static and focus on individual learning verses immersive, agile, team-based development—all factors that lead to higher retention and a better prepared workforce. Soccer teams train on the field, honing skills and executing strategy, and cyber teams should train the same way. Engaging in team-based “war gaming” in virtual environments that replicate the unique systems and complexities of an organization will enable them to better understand the adversary and risk in the context of their own businesses.

Practice in real-word scenarios

If there is anything the emerging cyber threats have taught us, it is that the traditional static, instructor-led training model can no longer keep pace. It is crucial for CSOs to take cybersecurity training out of the classroom and into an immersive, interactive real-world environment so that the security teams can see what the threat actor looks like and safely develop responses. This active-learning approach significantly improves knowledge retention. There are two groups of activities I found successful with the Department of Defense that healthcare companies should consider implementing: focused skills training and hands-on exercises with real-world threats. This approach reduces the shortage of skilled security staff and improves the agility of current staff in their job of countering threat actors.

Cybersecurity defense, like any other skill, requires repetitive practice. Conducting exercises on specific tactics on a frequent basis helps your cybersecurity staff remain proficient. Providing repeated examples on a realistic healthcare network demonstrating a threat gaining access, laterally moving, escalating privileges, exfiltrating data or beaconing out is an invaluable, applied method of training.

Conducting hands-on exercises that allow your cybersecurity team to practice defending networks using real-world tools and tactics are essential too. These activities provide organizations with a better understanding of how prepared their cyber pros are and help them identify skills gaps in any areas, allowing them to more effectively direct future training. For example, the team may be skilled at identifying a ransomware attack that wants to hold its systems hostage, but only have a general understanding of the incident response plan because it is not performed for this type of threat. Actively practicing against key threats ensures that your team is fully prepared and confident in responding to an incident.

The bottom line

My years in the trenches assessing and training cybersecurity professionals taught me to start with identifying key assets throughout the business, then define the needed skill sets and build a team of solid staff to ensure that no gaps exist. A gamified, virtualized world helps the cybersecurity pros stay ahead of emerging threats, while maintaining existing skills.

The healthcare industry remains a top – and rich – target for attackers with both financial and more malicious objectives. To avoid becoming the latest victim, CSOs need to shift the paradigm of cybersecurity training and amplify their human cybersecurity defenses through training with the same urgency they are deploying and integrating future technologies.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2018. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.

 

Top 40 Articles from the Past 6 Months