Six Cybersecurity Points Healthcare CIOs Should Explain to Their Boards

The confidence your board and other stakeholders have in your organization’s cybersecurity strategy can influence decisions about prioritization of budget, resources, and reputation for your team. Given the ever-changing threat landscape and concerning news in healthcare recently, we can see it’s difficult to get cybersecurity strategy right. What we need to make our best attempt at defending our organizations isn’t easy to determine amongst experts, and it’s even more difficult to explain and agree on with non-experts.

So, where should you begin? What follows are points that offer insight into your strategy’s rationale and comprehensiveness to develop stakeholder confidence in the plans you and your team design and support. Start by ensuring your board and other stakeholders understand these points.

1. Your cybersecurity strategy focuses on continuity of service for many threats to system availability including cyberattack.

Much of your cybersecurity agenda will include a strategy to defend your organization from a cyberattack. Of equal importance, is focus on continuity of service and recovery procedures should the dreaded ransomware attack scenario happen to your organization. Ensure the board’s confidence in your continuity strategy by explaining:

• Critical systems protecting continuity of patient safety, revenue cycle, and other key business processes are covered by thorough business continuity and contingency of operations plans that consider impact and criticality for resuming services.
• Employee training on backup procedures is documented, thorough and current in the event your organization must resort to them until services are restored due to cyberattack or other availability disruption.

2. Your cybersecurity strategy is designed and maintained based on your organization’s threat landscape.

It’s important to include your board in the ongoing development of your cybersecurity strategy. They should understand how it was specifically designed and witness how it is continually revised to align with a risk profile informed by your organization’s threat landscape, service mix, geography, financial position, business standing, reputation, etc. Ensure the board’s confidence in your strategy by explaining:

• What’s new and next for your cybersecurity strategy. Provide quarterly updates and biannual reviews on progress and tell them why you take actions you do — because a new threat or threat actor has been identified, because of lessons learned by another organization, or because your organization’s risk profile has changed (new services offered, acquisition, or modernization, etc.). Include details about active threats from specific threat assessments and what could result if the vulnerability isn’t addressed.
• How your strategy is assessed and challenged using tactics and rationale of malicious actors. Explain how threat assessment information is directly synchronized to network security configuration practices, updated authentication mechanisms and employee training that informs users of specific tactics being leveraged by healthcare ransomware hackers to subvert your organizations defenses.
• Recent ransomware successes, highlighting the threat actor's ability to defeat legacy or outdated technology, processes and procedures and how the cybersecurity strategy evolves the defense posture reducing attack surface and creating a higher work factor for ransomware attacks.

3. The cybersecurity basics for our organization’s patients, providers, and employees are covered.

The basics are fundamental – not easy – but they are the cornerstone of a successful cybersecurity strategy. Ensure the board’s confidence in the basics by explaining:

• How your strategic plan is revisited, challenged, and updated regularly.
• The scope of the plan including:
  • How it addresses all varieties of known threats including general and specific cyber threats to your organization.
  • How transitions such as moving infrastructure to off premises are governed.
  • How regulatory and internal compliance are ensured.
• Circumstances that instigate changes to your plan and roadmap such as newly identified and advanced threats directly targeting the organization or operational requirement changes, etc.
• The measurable successes, known areas of improvement, and the progress you have made on them.
• Organizational processes that support or are informed by your cybersecurity strategic plan such as disaster recovery, lifecycle management, technology project implementation, training, etc.
• Governance practices, how effectiveness is measured, and how new or revised practices are developed.

4. Specific threat intelligence informs approaches for safeguarding the organization.

You understand healthcare and how your organization’s successes create increased cyber risk because:

• Reported or anticipated revenue makes organizations a lucrative hacking and ransomware target.
• A positive reputation in the community increases the negative impact intended by a breach and follow on ransomware attack.
• Innovation and modernization through adoption of new technologies increases the organization’s attack surface by opening up a new range of vulnerabilities.
• The information you protect is the most valuable information of all.

Ensure the board’s confidence in your level of threat intelligence by explaining:

• Your awareness of existing threats, the extent to which your organization could be targeted, and how you stay vigilant.
• The aggressive posture of your cybersecurity strategy and its ability to counter the sophisticated capabilities of malicious cyber actors.
• Your organization’s adaptive and active defenses for responding to current and emerging threats.

5. As our organization modernizes technology, we can rely on our established risk and vulnerability management capabilities.

You are aware of key points in a modernization effort that increases your cyber risk by way of involving new vendors, incorporating new devices, extending your existing infrastructure, and more. Ensure the board’s confidence in your vulnerability management strategy by explaining:

• Your internal processes reliably assess risk and identify gaps for your modernization and migration projects including artificial intelligence capabilities, third parties, regulatory requirements, and cloud environments.
• Your deployment efforts are coordinated with specific transition criteria and align with risk management framework that manages risk profile change for technology and its users.
• Your risk management framework evaluates best practices that increase both security and compliance for the modernization efforts at your organization.

6. Our organization has a solid approach to identifying and addressing evolving vulnerabilities.

Malicious actors will use the element of surprise to their advantage. If your organization is on constant watch for risky behaviors and removing the attacker's reconnaissance edge (ex: publicly accessible contact information for staff at your facility), you reduce the attack surface and risk of leaking credentials or making it easier to assume a legitimate person’s identity for malice at your organization. Addressing vulnerabilities can range from behavior training to programmatic preventions, and the threat landscape of today demands them all. Ensure the board’s confidence in your evolving threat and vulnerability identification methods by explaining:

• Your training program focuses on safe information security behaviors and knowledge testing practices occur regularly with follow up training and/or rewards depending on the user’s response to phishing tests, etc.
• Your IT team relies on trusted resources and regular training offered by a certified source to stay at heightened awareness of current and emerging threats.
• Your IT team has experience, access, and resources for challenging your current approach and modifying as vulnerabilities are identified.
• Your network monitoring tools are as sophisticated as the malicious actors and the tactics they use.
• Your organization does an annual specified threat assessment to identify the organization’s cybersecurity blind spots only seen by assessing external network boundary elements. Without this point of view, cyber defenders and decision makers are only seeing half of the defense picture.

The cybersecurity space is as complicated and dark as it is described. The malicious actors of today are determined and sophisticated. Staying a step ahead takes technical savvy and awareness of your organization’s specific risk factors. Malicious actors in healthcare have one goal in mind – to host a ransomware attack on an organization like yours. Ensuring the resources required to sustain the cybersecurity approach you have determined is best for your organization depends in part on stakeholder confidence. The right insight, talking points, and awareness can help garner the support you need.

A Cybersecurity Vulnerability Story

This healthcare IT security organization takes their job seriously. They secure perimeters, restrict IP addresses from their network (even for IPs that falsify their country of origin), multifactor authenticate access, and protect administrative login credentials. Their access controls are mature and have proven reliable. They’ve thought of everything, right?

Then why were hired hackers able to find their way onto this organization’s network in less than four hours? It started with something so simple, so seemingly innocuous – and so convenient for so many – that no one even questioned it until the day they learned why they should.

Patient advocate, Olivia, wants the best for patients and diligently works to do her part to create great patient experiences. That’s why when she realized patients needed to contact several different departments in the hospital to schedule appointments, ask billing questions, or find out where to park for an imaging appointment, she asked to have a link to the employee directory added to the website. Liam, website manager, added the link right away because he, too, is devoted to patients and wants to make their journey easier. Days later, he was pleased to see site analytics showed a few uses of the link. An easy mission accomplished.

Soon after, Mary, IT Director, received findings of her team’s latest cybersecurity external threat assessment which alerted her to a publicly available website resource that showed first names, last names, department, and phone numbers for key employees of the hospital – the employee directory. She acted quickly to have the directory restricted from the website and network monitoring tools verified there was no related suspicious activity to investigate.

Why did Mary take such swift action? The information in an employee directory, while convenient for some use cases, contains all a malicious actor needs to begin a small to large scale attack by doing any of the following to:

• Contact the IT helpdesk to reset a user password or redirect the multifactor authentication to the hacker's phone number enabling them to reset the account password manually and gain access to the network.
• Contact the IT helpdesk, impersonating a provider to social engineer information with the aim of figuring out the helpdesk authentication techniques and procedures to better defeat the authentication processes in the future.
• Gather employee lists and emails that allow the hacker to continue to harvest credentials to engage in password spraying and brute force attacks that would assist in gaining access to a user level account or privileged user account.
• Contact a patient as though they are a facility employee in need of personal health information for an upcoming appointment
• Contact a patient as though they are a member of your facility’s billing department in need of credit card or other information to process a payment
• Contact your employees in hopes they will divulge additional seemingly innocuous but powerful information when it’s in the wrong hands (ex: email (for format of all employee email addresses), location (for better understanding of your organization’s footprint), etc.)
• Gain physical access to your facility

The people and organization in this story are fictitious, but the vulnerability depicted is a common one. Stories like these help us appreciate how cunning malicious actors can be and how little they need to know to learn more and wreak havoc. It also demonstrates how protecting your organization is difficult and getting harder given all of the potential vulnerabilities and the numerous gaps to address. Organizations where boards and stakeholders understand, support, fund, and do their part to defend have the best chance in an environment where hackers are looking for their next opportunity.

See also...this article as published by Becker's Health IT and HISTalk.