Not every healthcare organization has the budget for a dedicated information security official, so cybersecurity advisors offer new expertise, capacity, even hope for organizations who once bolted cybersecurity onto an existing officer role.
One of our clients feared their cybersecurity posture posed great risk to their growth agenda, revenue goals, and even patient outcome standards. Their resources were always scarce – even for top priorities, so they involved an information security official in a fractional capacity. Why? Because 1) their budget allowed it and 2) cybersecurity risks demanded it.
The organization had named the following teams to participate in cybersecurity: Security Council, Steering Team, IT Security Committee, and they appointed a Security Officer. Each person was assigned this role in addition to the responsibilities of another leadership role – none were solely focused on cybersecurity. They needed to extend the expertise of their leadership team without incurring the budget of an additional executive.
A cybersecurity advisor from CereCore fortified the organization’s cybersecurity program with expertise and healthcare focus. They also worked as an advisor for the assigned security officer HIPAA requires. The partner organization’s security officer owned and operated the security program considering the advice and counsel of the CereCore cybersecurity advisor. The CereCore advisor brought strategic direction, expertise, and capacity to improve the organization’s security program. In this example, the CereCore cybersecurity advisor assisted the organization in three areas:
A cybersecurity advisor starts with an assessment of your current security program, compares your current state with the priorities you have identified, and determines strategic direction and plans to achieve those priorities. Cybersecurity advisors direct on security, resilience, and compliance strategy based on your organization’s:
Leadership teams work with a cybersecurity advisor to define the scope of their work and the anticipated time to accomplish the priorities. They consider HIPAA security rules, findings of a current state assessment, and other requirements to develop an effective security program at their organization. The cybersecurity advisor then assumes responsibility for the operation of the security program according to the specifications for priorities, budget, staffing, and other resources determined in concert with the leadership team.
Evaluate the organization’s cybersecurity program. According to direction from the leadership team, a cybersecurity advisor helps define cyber strategy with a plan of action to improve the security, resilience, and compliance of an organization’s security program based on:
Build on existing cyber resilience protocols and measures. Cyber resilience is an organization's ability to continue to deliver its services, despite adverse cyber events. As part of the assessment of the current security program, a cybersecurity advisor evaluates cyber resilience and makes recommendations based on gaps and industry standards such as in NIST SP 800-160, vol. 2, Developing Cyber Resilient System and chosen frameworks such as NIST CSF and NIST 800-160. Assessment findings are prioritized with input from leadership and incorporated into the cybersecurity program.
Current processes and workflows analyzed during assessment often include:
Improve current cybersecurity posture. Action plans and initiatives informed by a strategy roadmap are developed with timeframes, sequencing, and resources needed to implement systems and workflow changes and to fully operationalize the changes. Cybersecurity advisors work with the organization to ensure annual security assessments and to formulate detailed action plans that:
Operationalize and oversee cybersecurity awareness practices. Day-to-day, a cybersecurity advisor helps the organization maintain an understanding of threats to the healthcare sector, communicates that knowledge and assists in the development of plans to reduce the organization’s overall risk. They monitor information relating to threats and risks in the healthcare sector via notices from InfraGard, Cybersecurity Infrastructure Security Agency (CISA), US-CERT, US Department of Health and Human Services (HHS) and others. The cybersecurity advisor will provide updates to leadership on important changes to the threat environment.
Provide support in the event of a cybersecurity incident. If an organization experiences an event, a cybersecurity advisor provides guidance on executing incident response plans. No organization wants to turn to a cybersecurity advisor for this expertise, but the additional capacity and expertise can be a valuable addition to any leadership team if needed.
Cybersecurity advisors present a viable option as organizations get creative with their budgets and resources in an industry with the potential for dire organizational consequences in the absence of capacity, expertise, and resources that bring cybersecurity program confidence.
Editor’s note: For their protection, CereCore does not reveal the identity of partners who work with us for cybersecurity advisory, medical device management, incident recovery, risk mitigation, or other cybersecurity advisory services.
For more information download the Cybersecurity Advisory Services overview.