The rash of high-profile ransomware attacks in 2016 has moved cybersecurity up the list of top risk considerations for healthcare organizations. However, two areas often present stumbling blocks: lack of budget and the fact that an organization’s weakest IT security link is often its people.
As Will Durkee of Secure Halo discussed at the Maryland HIMSS Spring Educational Event: “Rapid Evolution of Cybersecurity in Health Care,” cybersecurity should be approached as an enterprise-wide issue. While it can’t be solved overnight, there are a couple of ways to begin to climb over the stumbling blocks.
Communicate that Cyber Risk is an Enterprise Risk: It cannot be reiterated enough – cybersecurity is not just an IT problem – and that’s why budget needs to be allocated not only for traditional tools and sensors, but for an enterprise-wide approach to security. The bottom line is that more than ever, organizations are connected digitally to their customers, suppliers, vendors and the public. That puts intellectual property, sensitive business information, operational dependencies, company reputation, and in the case of healthcare, customer/patient information at risk. Why? Because all of that data has a value to enterprising cyber criminals. The Ponemon Institute’s 2015 Cost of Data Breach study revealed that the healthcare industry has the highest cost per stolen record – at $363 – more than double that of other industry averages.
Such high stakes and determined adversaries demand an integrated approach involving business leaders from multiple departments. Yet in many organizations, corporate silos still exist. An IBM C-Suite survey reported that 60% of Chief Financial Officers (CFOs) and Chief Human Resources Officers (CHROs) “feel the least engaged in cybersecurity threat management activities, yet are the stewards of data most coveted by cybercriminals.”
When Secure Halo teams assess the cyber posture of companies, they look for evidence of cross-departmental collaboration. Ask these questions to gauge whether your organization considers cybersecurity an enterprise risk, and therefore is allocating appropriate budget to security:
- Is there a security governance program involving representatives from multiple departments?
- Have policies and processes been developed, enacted, communicated and measured – not just for the IT department, but for the whole organization’s approach to securing data?
- Does the organization have an incident response and crisis management plan to enact in the event of a breach? Are these plans periodically tested and reviewed?
Foster a Security Culture to Combat “People Problem:” The evidence shows that people continue to be a weak link in protecting the security of information. Adversaries use increasingly sophisticated methods to trick employees into clicking on malware-infested emails or to request fraudulent transfers of funds; and disgruntled or malicious insiders may knowingly steal or sabotage assets or systems.
Secure Halo believes that the best defense is a proactive and holistic approach to cybersecurity that includes technology, processes, and people. While it’s impossible for every individual to stay on top of every threat, making cybersecurity awareness part of organizational culture can help reduce susceptibility to breaches. Here are three ways to get started immediately:
- Communicate the importance of cybersecurity from the top down. From the board of directors to the C-suite, to every level of the organization, each employee has a front line responsibility. Their diligence protects the organization, its mission, and ultimately the livelihood of each individual on the team.
- Conduct Effective Cybersecurity Training either through interactive computer-based delivery or in a classroom setting. Consider spreading the training out through the year to reinforce security culture and stay on top of evolving threats. Test employee knowledge to identify gaps.
- Empower the HR department to implement programs that mitigate employee dissatisfaction. This lowers the risk of malicious insider threat.
There are a multitude of security basics, such as technical controls, data segmentation, strong passwords, and multi-factor authentication that help keep organizations secure. The additional points described above can help start a conversation today about how to deepen cyber maturity and be more resilient tomorrow.
Flickr Photo: jfcherry