He who defends everything defends nothing. – Frederick the Great
Every organization faces the same challenge regarding cybersecurity: how to best use a limited pool of resources to defend against unlimited threats. Take your pick of potential foes, from professional criminals and hostile nations to disgruntled insiders. In healthcare, these threats go beyond the IT department and even the bottom line. They can have a direct impact on human lives.
More...
Some organizations have defaulted to a reactive security strategy (aka whack-a-mole) that addresses individual threats once they materialize. Others have attempted a so-called aggressive strategy (aka shotgun approach) that seeks to defend against all possible threats all the time.
Unfortunately, neither approach concentrates time and resources on the most common and dangerous threats to cybersecurity in healthcare. As with any type of security, organizations should focus on the issues are both likely to materialize and likely to have significant consequences if they do.
What, then, are the most important areas of cybersecurity in healthcare? As with any complex issue, the answer is: It depends. Rather than pursuing a prescribed set of solutions, we recommend adopting four core principles:
Focus on risk-based security: Move away from reactionary or compliance-driven decision-making. Instead, use risk analysis to prioritize and inform your decisions. Develop a formal program of controls based on the specific risks and challenges your organization faces. Keep in mind that this proactive approach is what most laws require anyway. HIPAA, for example, requires organizations to perform a risk assessment to determine which controls are reasonable and appropriate in their particular case. (See the HealthGuard Decision Risk Model at the end of this article.)
Lose the risk ratings and adopt a quantitative, multidimensional model of risk: We recommend expressing risk in terms of these four dimensions:
- Technology: IT security process capabilities and resiliency of IT systems and networks
- Privacy: Potential loss associated with PHI, PII, and PCI
- Financial: Potential financial loss
- Human – Impact on patient care and employee safety
Adopt the NIST Cyber Security Framework: The NIST Framework enables organizations to assess and communicate their security efforts using a common lexicon. Specifically, the Framework allows you to describe your current cybersecurity posture and your target state. You can then identify and prioritize opportunities for improvement and assess progress toward the target state. The Framework also provides for communicating security risks to non-IT stakeholders and governance bodies.
Balance your investment: Security programs usually focus on these sequential activities: identification, prevention, detection, response, and recovery. It is common (though not wise) for organizations to focus resources on one phase of action (usually prevention). We strongly recommend that organizations distribute resources equally across the phases.
