This past year saw a continuation of established trends in cybersecurity. Breaches continue to rise, attackers are getting more sophisticated, and the market continues to be flooded with silver bullets that promise to solve all enterprise security problems in one fell swoop. As an organization, Online works with hundreds of organizations, many in healthcare and have learned a few things. Here are five things we learned in 2018 that you and your organization should consider for moving forward:
1. You will be breached. Accept it. Plan for it.
According to Verizon's 2018 Data Breach Investigations Report, 58 percent of data breach victims are small businesses and healthcare organizations account for nearly one in four data breaches. Attackers do not differentiate based on size and may actually prefer smaller entities due to their lack of sophisticated security controls. Healthcare continues to be a target due to the value of medical records and the lack of spending on information security.
What does this mean for organizations? They cannot simply implement preventative controls and assume they are safe. Organizations must dedicate additional resources to detection and response in order to mitigate the damage and cost of data breaches.
The good news is that a breach does not have to be accompanied by fines and corrective action plans (CAPs). Online has worked with one organization that was investigated by HHS/OCR for past breaches and by providing evidence of their annual Security Risk Assessments, policies and procedures, and proactive corrective action, were able to avoid any fines or CAPs.
2. You will never have enough budget for everything you need to do.
There is a constant battle going on in the executive offices of healthcare providers. The conversation goes something like this:
CFO: What are your budgetary needs for this year?
COO: I need money for a new medical widge-a-ma-doodle that will save hundreds of lives
CISO: I need money for a Managed Security Service that will detect security incidents and allow us to respond more effectively
COO: So, are we going to save lives or detect security incidents?
All in unison: Save lives!
CISOs are continually fighting for dollars in this manner. There will never be enough money to do everything you need to do. Therefore it is critical to maintain strong communications in the boardroom and to take a risk-based approach to security. Security spending should be approached using an Enterprise Risk Management method the same way all business risk is treated. If the organization is willing to accept risk, that is a business decision to be made and not a “security decision”. The role of the CISO is to ensure the business understands the risk and the consequences of accepting risk so that the business can make well-informed decisions.
3. Your data isn't under your control anymore.
As systems mature and data becomes more mobile, organizations have more and more vendors and Business Associates that maintain and access sensitive information such as Protected Health Information (PHI). HIPAA doesn't necessarily require you to audit all of your vendors since they have their own requirements to comply with HIPAA, but consider this from a risk management perspective: if your vendor breaches your data or causes a breach to your data, what is the impact to your organization? Your name is still associated with the breach.
2018 saw a rise in vendor management solutions that are helping organizations address this problem. You can't audit all of your vendors, nor should you. However, if you rate your vendors by risk level, you may decide you want additional comfort from those high-risk vendors that they are taking appropriate steps to protect your information.
4. IoT and Medical Devices require an Intensive Care Unit.
Another trend that continued in 2018 was the explosion of IoT and Internet-connected medical devices. While there have been gains in standards and technologies to protect these systems, they still require special attention. Patching, monitoring, and administering these systems requires a fully separate set of processes than it does for traditional computing systems. Online recommends isolating these devices on a dedicated network with restricted access to the rest of the network and the Internet. Determine what these devices need to communicate with and use deny-by-default rules to allow only that traffic. Where possible, integrate devices into the organization's Identity and Access Management (IAM) systems.
5. Your board and C-Suite will start asking harder questions.
As breaches continue to rise and the cost of breaches are felt by organizations, boards of directors and C-Suites are starting to pay attention. They are asking harder questions of their security teams and requiring more information on what is being done to prevent and mitigate attacks.
This is good news!
What this means is that security teams have an opportunity to have meaningful discussions at higher levels in the organization and get top-level support for implementing security controls throughout the organization. This may mean stronger enforcement of policies and procedures, increased budgets for advanced security solutions, and ability to work with operations teams to design appropriate security solutions that align with the goals of the organization.
What this means for 2019…
Considering what we've learned in 2018, organizations should consider carefully how to prioritize their limited resources for 2019. There are some common themes we can draw from our Top 5 list. Organizations should be taking an Enterprise Security Risk Management approach to their security programs that has buy-in from the top of the organization. CISOs should be developing their reporting and dashboards in a manner that effectively communicates the state of the organization's security posture and where the security risks lie.
This way the decision-makers in the organization have the information they need in order to determine what resources should be dedicated to addressing these risks in a manner that aligns with the organization's goals.
If you have any questions about this blog, or about Healthcare Security in general, be sure to visit our RSP Healthcare page!