2017 is here, and, like any new year, promises both opportunities and challenges. The question is, what will we do with it? Will it be a year of great progress, one of marking time, or worse yet one of falling further behind? Meeting the cybersecurity challenges of the future is a job for leaders. There should be no doubt that healthcare institutions are under attack on a regular basis now from external threats, while continuing to face the insidious abuse of insiders. As the old saying goes, “they have it coming and going.” Yet many patient care organizations still do not have a well-defined cybersecurity strategy, dedicated resources, advanced technologies required to fight the threat, or budget adequately for security protections. Strategy, resources, budget are all the responsibility of leadership.
Just something as straightforward as conducting risk assessments demonstrates the lack of priority and responsibility that some institutions place on cybersecurity. They expect third parties that host their data or systems to have minimally a SOC-2 performed—an independent third-party assessment. They wouldn’t think of acquiring another entity without an independent audit performed by a credible certified third party. But many will question the value of a third-party security assessment even when they do not have the resources or expertise in-house to perform an assessment to save dollars. CISOs often report that they hear from their leadership the question, “Why do we need to do this when nothing has happened?”, which is ironic because we are in an industry that values health check-ups and insurance to hopefully avoid and manage the things that CAN happen, to include the higher cost of healthcare from not doing the right things. They also value seeing the right medical professional to diagnose the condition, as opposed to self-diagnosis. Leadership in healthcare needs to wake up - cyber events CAN and DO happen and the money spent in prevention (such as credible third-party assessments) CAN and DOES help avoid incidents and mitigate the impacts when and if they occur. What is interesting is that other sectors, with far more sophisticated security organizations and much further along in the cyber maturity, such as government, banking, energy, etc. are required to seek independent assessments because they value that objective third-party review.
If 2016 was any indication of what to expect, and many think it is only the precursor to more, then we can absolutely count on cyber incidents happening in our industry. Which means they are something that leadership needs to take seriously, plan for, and ensure their organization is ready to tackle. It’s the definition of what the legal field calls reasonable security. You know there is a credible threat, you know the impacts can be costly to the business, you therefore take responsible action to address. That manifests itself in four primary areas; strategy, resources, budget and governance. Like any other area of the business leadership must first assess the maturity and adequacy of its cybersecurity readiness and independent third-party assessment is an invaluable tool to assist them in doing that. That assessment needs to be performed against the right yardstick to ensure its value, and that yardstick today is not the HIPAA security rule. The HIPAA security rule does not represent a credible security standard or a reasonable approach to defining or building a comprehensive cybersecurity program. Developed in the late 1990s, it has failed to keep up with the changes in the environment, technology, threat or even current security protocols. Enlightened leadership recognizes that they need to assess their organization’s readiness using more comprehensive and up-to-date requirements. A growing majority of entities in healthcare use the NIST Cybersecurity Framework (CSF) for healthcare. The NIST CSF covers 98 subcategories of controls that should be evaluated to assess the overall readiness of the cybersecurity program appropriately. The HIPAA Security Rule by comparison only addresses 19 of those subcategories. The NIST CSF provides the thorough review that contemporary organizations need to understand how resilient their enterprises are to cyber incidents while addressing compliance mandates as well.
2017 also ushers in new leadership at the government level, and it will be interesting to see how they view cybersecurity readiness as a priority. Presidential Policy Directive (PPD) 21 re-identified 16 sectors as part of our national critical infrastructure. I say re-identified, because we, as a nation, have always had as a priority the protection of those critical areas necessary to maintaining our country and caring for our citizens. Healthcare has always been one of those critical infrastructures. Last year Executive Order – Promoting Private Sector Cybersecurity Information Sharing was issued to promote the sharing of cybersecurity threat information between public and private sector groups to increase awareness and enhance readiness. However, 12 months later we still do not have a comprehensive solution for collecting, analyzing and disseminating cyber threat information to healthcare entities. How will General Mike Flynn, newly appointed National Security Advisor; General John Kelly, newly appointed Homeland Security; and Congressman Tom Price, newly appointed Health & Human Services, view protecting the healthcare sector and patient information?
One thing seems certain, according to just about every security expert interviewed and those companies publishing research studies that next year is going to see more cyber events. And there is a growing concern that institutions have just as much to worry about with indirect attacks as they do deliberate attacks. The Dyn DDOS event was a great demonstration of this point. Many healthcare organizations lost access to their hosted EHR, their web presence and other web based applications even though they were not the intended target. The threat is real and continues to expand to all things connected. In order for healthcare organizations to be ready leadership needs to ask five questions:
1. Do we have a comprehensive cybersecurity strategy based on an adequate security framework?
2. Do we have enough and the right resources, internal and/or external, to adequately address cybersecurity?
3. Are we spending enough to create the proper balance between security and operations?
4. Are we assessing our program thoroughly, appropriately and objectively?
5. Does our security readiness meet the litmus test for reasonableness?
Determining the answers to those questions, and addressing the issues they bring up, will be tremendously important, as the threats to patient care organizations inevitably continue to accelerate this year.
Mac McMillan is founder and CEO of the Austin, Tex.-based CynergisTek consulting firm.