By Darcy Corcoran, MBA, CISSP | Mar 29, 2024
6 minute read Blog| IT Advisory| IT Strategy
The confidence your board and other stakeholders have in your organization’s cybersecurity strategy can influence decisions about prioritization of budget, resources, and reputation for your team. Given the ever-changing threat landscape and concerning news in healthcare recently, we can see it’s difficult to get cybersecurity strategy right. What we need to make our best attempt at defending our organizations isn’t easy to determine amongst experts, and it’s even more difficult to explain and agree on with non-experts.
So, where should you begin? What follows are points that offer insight into your strategy’s rationale and comprehensiveness to develop stakeholder confidence in the plans you and your team design and support. Start by ensuring your board and other stakeholders understand these points.
Much of your cybersecurity agenda will include a strategy to defend your organization from a cyberattack. Of equal importance, is focus on continuity of service and recovery procedures should the dreaded ransomware attack scenario happen to your organization. Ensure the board’s confidence in your continuity strategy by explaining:
It’s important to include your board in the ongoing development of your cybersecurity strategy. They should understand how it was specifically designed and witness how it is continually revised to align with a risk profile informed by your organization’s threat landscape, service mix, geography, financial position, business standing, reputation, etc. Ensure the board’s confidence in your strategy by explaining:
The basics are fundamental – not easy – but they are the cornerstone of a successful cybersecurity strategy. Ensure the board’s confidence in the basics by explaining:
You understand healthcare and how your organization’s successes create increased cyber risk because:
Ensure the board’s confidence in your level of threat intelligence by explaining:
You are aware of key points in a modernization effort that increases your cyber risk by way of involving new vendors, incorporating new devices, extending your existing infrastructure, and more. Ensure the board’s confidence in your vulnerability management strategy by explaining:
Malicious actors will use the element of surprise to their advantage. If your organization is on constant watch for risky behaviors and removing the attacker's reconnaissance edge (ex: publicly accessible contact information for staff at your facility), you reduce the attack surface and risk of leaking credentials or making it easier to assume a legitimate person’s identity for malice at your organization. Addressing vulnerabilities can range from behavior training to programmatic preventions, and the threat landscape of today demands them all. Ensure the board’s confidence in your evolving threat and vulnerability identification methods by explaining:
The cybersecurity space is as complicated and dark as it is described. The malicious actors of today are determined and sophisticated. Staying a step ahead takes technical savvy and awareness of your organization’s specific risk factors. Malicious actors in healthcare have one goal in mind – to host a ransomware attack on an organization like yours. Ensuring the resources required to sustain the cybersecurity approach you have determined is best for your organization depends in part on stakeholder confidence. The right insight, talking points, and awareness can help garner the support you need.
This healthcare IT security organization takes their job seriously. They secure perimeters, restrict IP addresses from their network (even for IPs that falsify their country of origin), multifactor authenticate access, and protect administrative login credentials. Their access controls are mature and have proven reliable. They’ve thought of everything, right?
Then why were hired hackers able to find their way onto this organization’s network in less than four hours? It started with something so simple, so seemingly innocuous – and so convenient for so many – that no one even questioned it until the day they learned why they should.
Patient advocate, Olivia, wants the best for patients and diligently works to do her part to create great patient experiences. That’s why when she realized patients needed to contact several different departments in the hospital to schedule appointments, ask billing questions, or find out where to park for an imaging appointment, she asked to have a link to the employee directory added to the website. Liam, website manager, added the link right away because he, too, is devoted to patients and wants to make their journey easier. Days later, he was pleased to see site analytics showed a few uses of the link. An easy mission accomplished.
Soon after, Mary, IT Director, received findings of her team’s latest cybersecurity external threat assessment which alerted her to a publicly available website resource that showed first names, last names, department, and phone numbers for key employees of the hospital – the employee directory. She acted quickly to have the directory restricted from the website and network monitoring tools verified there was no related suspicious activity to investigate.
Why did Mary take such swift action? The information in an employee directory, while convenient for some use cases, contains all a malicious actor needs to begin a small to large scale attack by doing any of the following to:
The people and organization in this story are fictitious, but the vulnerability depicted is a common one. Stories like these help us appreciate how cunning malicious actors can be and how little they need to know to learn more and wreak havoc. It also demonstrates how protecting your organization is difficult and getting harder given all of the potential vulnerabilities and the numerous gaps to address. Organizations where boards and stakeholders understand, support, fund, and do their part to defend have the best chance in an environment where hackers are looking for their next opportunity.
See also...this article as published by Becker's Health IT and HISTalk.
Darcy Corcoran is a Principal Consultant for Cybersecurity
Darcy Corcoran is a Principal Consultant for Cybersecurity
In many instances, the transition to Epic has CIOs considering partners for implementation responsibilities, legacy EHR management, or both. And for good reason. Consider these case studies knowing...
“I practiced as a hospitalist for many years. You go from room to room and bedside to bedside and you're able to care for one patient at a time...Through technology, I know the work we do impacts the...
Let us know how we can support your initiatives and take some of the heavy lifting from healthcare IT.
© All Rights Reserved CereCore Terms of Service California Notice at Collection Privacy Policy Responsible Disclosure