Events of the past few years have magnified the interest, attention, and funding provider organizations must dedicate to cybersecurity resiliency. Most non-IT executive leaders now grasp the full weight and risk of unpreparedness.
Despite its importance, cybersecurity is a consistent and challenging internal conversation for IT and security leaders. And as we enter a new era of IT-enabled and IT-driven business and clinical strategies, the trends of innovation, disruption, and digital transformation will further complicate the already complex cybersecurity landscape.
To simplify this complex environment, the Health Care IT Advisor research team developed the following simple Cybersecurity Ecosystem Model to highlight critical areas for discussion and action. Note that these areas extend well beyond technical capabilities.
Cybersecurity Ecosystem Model
To get started, use this resource page to guide you through the following 5 steps for becoming a cyber resilient organization:
1. Understand the full cybersecurity ecosystem to build cyber resilience through layers
Traditionally, many health care organizations have approached cybersecurity as a technology issue. While various security technologies can improve an organization’s risk posture, technical tools are not enough. Cyber resilience requires efforts in three crucial areas: governance and policy, process and education, and technology and services.
2. Engage senior leaders in security efforts to advance the organization’s security maturity
The prevalence of disruptive cyberattacks and large breaches have moved cybersecurity squarely into the C-suite and boardroom. As executive leader interest in cybersecurity grows, IT leaders must help non-IT leaders better understand their role in mitigating cyber risk for the organization. The resources outlined below articulate key messages for IT leaders to discuss with CXO executives.
At-a-glance framework for a successful discussion
3. Optimize the effectiveness of your Chief Information Security Officer (CISO)
The fast-changing nature of the cyber landscape demands that health care organizations reexamine the role of the CISO to effectively protect their enterprise. No longer a purely technical role, the CISO must now be a strong, risk-focused business leader who can shepherd the organization toward an advanced and adaptive security posture.
Critical considerations for the position include top attributes to look for in potential candidates, organizational model and reporting structure, the level of responsibilities outside of security, and how to cultivate a supportive and empowering environment for the CISO.
4. Prepare in advance
Your organization will experience a breach at some point—it is just a matter of when. Now, more than ever, you need to ensure your organization has a proper response plan in place for cybersecurity incidents to limit potential damage.
5. Manage and learn from incidents that do happen
Methodical and well-tested incident response plans are critical for health care organizations to successfully and rapidly react when a cyber-crisis hits. The SANS Institute’s PICERL incident response methodology is widely regarded as a go-to response approach because of its applicability and versatility across industries, organization size, and type of security incident.
The resources below broadly define the six phases of PICERL and illustrate how the steps involved to respond to a clinical crisis—well-known to non-IT health care leaders, clinicians, and staff—mirror the element of the PICERL security incident response approach.