Cyberattacks are on the rise. Several prominent data breaches and ransomware attacks have healthcare cybersecurity leaders and boards hypervigilant about the risk of sensitive data falling into the wrong hands.
During a webinar held in January that was hosted by Becker's Hospital Review and sponsored by Telos, four chief information security officers (CISOs) discussed the current cyberthreat environment and how they keep peers and board members informed about risks and solutions.
Panelists were:
- Nathan Lesser, CISO for Children's National (Washington, D.C.)
- Patrick Angel, interim CISO at Cleveland Clinic Foundation
- Rick Tracy, chief security officer for Telos
- Steven Ramirez, CISO for UofL Health (Louisville, Ky.)
Five key learnings were:
- Healthcare leaders are on high alert about heightened risk of cyberattacks. High-profile attacks over the last few years have led healthcare executives to pay close attention to cyberrisks. It's not just the financial costs of an attack that are getting the attention of executives and board members; it's the regulatory climate where there is talk about going after officers at organizations that are attacked. "Not only are they [directors and executives] scared; they're asking what can we do to better protect ourselves, our organization and our brand," Mr. Ramirez said.
- Be transparent with the board. Cybersecurity is expensive, which makes it important to educate the board on how and why money is being spent as it is. While board members may have different levels of desire for deep technical and cybersecurity information, "don't try and dumb it down," Mr. Lesser said. "Try to provide as much information in clear and concise ways as possible."
- New technology has introduced additional risks. Cloud infrastructure has become ubiquitous in many industries because it's extremely cost-effective, though the cloud comes with risks because it allows massive amounts of data to live in someone else's environment. Healthcare organizations that use the cloud are exposed to these risks, but healthcare is particularly vulnerable for additional reasons including massive amounts of data, multiple vendors, medical devices and use of the Internet of Things (IoT). Improving security, Mr. Lesser said, means making sure the tool set used in an organization is as small as possible.
- Basic data hygiene is a must. Remember the Equifax data breach? Their stored data wasn't encrypted. That simple step may have prevented the attack from becoming such a mess that affected millions of Americans, with significant costs to the company and its brand. "If they had done that one thing, they could have prevented massive trauma to the organization," Mr. Angel said. Other key attributes of good data hygiene are ongoing penetration testing, organizational security awareness training and system inventory, Mr. Angel said.
- Healthcare-specific security solutions can help mitigate risk. Telos, for example, has deep experience with multiple major cloud providers. "It's really hard as organizations move their businesses to the cloud to keep track of where things are, how they're configured, how they're vulnerable," Mr. Tracy said. Solutions like Telos' Xacta offer cyberrisk management to help reduce risk and meet complex compliance requirements.
Xacta by Telos – A Cybersecurity Management Platform for Hospitals
Hospital CISOs want to use the cybersecurity frameworks from NIST (National Institute of Standards and Technology) as the foundation of their cybersecurity strategy. But there are over 1000 NIST controls and the process can take months or even years to implement.
The Xacta software platform by Telos provides a proven and tested out of the box cybersecurity strategy that can be implemented in weeks. Plus, you can use Xacta to monitor your IT systems relative to the cybersecurity controls you are complying with and produce management reports and metrics. It’s automated, continuous, and real-time.
According to Rick Tracy, co-inventor of Xacta and the Chief Security Officer of Telos, “Xacta created a new category in cybersecurity when it was launched in 2000 and it continues to lead the industry.”
Telos has since enhanced Xacta to support in-house, cloud based, and hybrid systems. For example, you can utilize Xacta’s continuous controls inheritance feature so that your cloud workloads can inherit the regulatory status from the cloud environment they’re hosted on. You can also integrate multiple cybersecurity frameworks into a common system and cut down the validation efforts in doing so through Xacta’s Predictive Mapping technology. These features and the multitude of other automation capabilities in Xacta collapse the level of effort involved in executing, gathering and reporting on compliance by up to 90 percent.
Rick Tracy added, “Xacta combines the best cybersecurity frameworks in the industry with automation, monitoring, and visualization tools to take your cybersecurity operations to the next level and dramatically improve your cyber hygiene.”
Cybersecurity will continue to be a top priority among healthcare leaders and in board rooms. That's because healthcare is at increased risk for cyberattack since healthcare data is so valuable to hackers. Organizations will need to follow best practices, invest in security solutions and keep senior executives and board members informed about resource planning, budgeting, solutions, compliance and risk mitigation.
To register for upcoming webinars, click here.
