Robert Napoli, CIO, Planned Parenthood of the Great Northwest and the Hawaiian Islands
The levels of cybersecurity threats have increased significantly over the past decade posing significant challenges to healthcare organizations.In response, organizations have invested both time and money building out their cybersecurity programs by deploying a variety of cybersecurity tools, hiring dedicated security personnel or partnering with a managed security service provider (MSSP). Just a few years ago, it was rare to find healthcare organizations with Chief Information Security Officers, now it is common and even customary in larger organizations. In this respect, healthcare IT leaders can thank the publicity given to the many high-profile breaches which are commonplace these days as this has made it much easier to sell the need for cybersecurity investments to Boards and Executive Teams.
Despite these investments, protecting sensitive data and securing systems is increasingly difficult for many organizations. The healthcare technology environment is unique in its complexity. Many organizations have hundreds of applications and dozens of systems - all presenting potential threat vectors for breaches. Departments are often siloed, especially in larger organizations and “shadow IT” is common. Biomed and IoT-enabled medical devices provide additional risks. Threats are both external and internal. The security landscape is constantly evolving with increased sophistication and complexity with new threats and vulnerabilities appearing daily. When you consider that each employee, volunteer and vendor that has access to systems is a potential risk, it is understandable how breaches occur even in those organizations spending a lot of money on their cybersecurity programs. The reality is that effective healthcare cybersecurity is extremely difficult.
Strategic Initiatives Taken to Counter Security Threats
It is widely accepted that the best cybersecurity program starts with an adequately trained staff. Internal users often are an organization’s greatest risk and I am a strong advocate of providing a robust security awareness training program.
However, I take the approach that I can’t trust that all of our users will use appropriate discretion all the time. So, while we assume the best intentions, we don’t leave things to chance. Our cybersecurity program is aggressively proactive and multilayered utilizing controls at all identified vectors, advanced analytics as well as user education. We focus on stopping threats before they reach our end users by protecting the perimeter and limiting damage should these threats somehow get through. I am a huge advocate for Advanced Endpoint Protection, application whitelisting, Intrusion Detection Systems, sandboxing and other tools that lockdown local access and limit user behavior while still giving them the permissions necessary to do their jobs. Our security management platform runs off an AI engine and offers complete visibility into all internal and external traffic reporting abnormalities that we can proactively monitor and address.
Identifying the Right Solution Provider
The cybersecurity marketplace is expected to exceed $1 trillion over the next five years. Technology leaders have more options for products and services than at any point previously. In one respect, this is a great problem to have. However, sorting through the choices and trends is challenging and can be daunting for many organizations. I understand first-hand how difficult it can be to decide on a seemingly endless number of products and services to find the best solutions for our budget. After all, throwing money at your cybersecurity program is not a strategy, and a multi-layered approach doesn’t mean having duplicative solutions. We have successfully used advisory services to simplify the task of shortlisting products to pilot. Having a large network of peers and colleagues who can make recommendations has also been helpful in our selection process. Partnering with an experienced and capable MSSP is also anexcellent way of aligning around a cybersecurity strategy that works and is cost effective.
Evolution in Cybersecurity
I remember a time when cybersecurity was an afterthought in healthcare. Computing technology was less sophisticated than it is now (especially prior to the emergence of WiFi and the Cloud) and many cybersecurity strategies were limited to firewalls and anti-virus applications. Often, organizations took a “head in the sand” approach and were reluctant to invest in cybersecurity unless they experienced a breach. As mentioned earlier, that is no longer the case and most organizations understand that threats are advanced, constantly evolving, sophisticated, and unfold over long periods of time from a myriad of threat vectors. Protecting sensitive data requires diligence, persistence and yes, a budget.
Word of Advice for Fellow Executives
For those organizations not yet there, it is imperative that technology leaders make the case that an effective cybersecurity program is no longer just IT’s risk and responsibility. Technology executives should be prepared to communicate the scale of risks across the entire organization, taking steps to minimize those risks by mapping controls to key assets and developing contingency plans should a breach occur. Finally, it is essential that technology leaders accurately set expectations relative to their cybersecurity programs – that is, you can’t eliminate all risks with 100% certainty regardless of your budget and current cybersecurity posture. My organization devotes significant resources to cybersecurity, and we have done an excellent job securing our patient data and protecting other systems. However, I am quick to remind my Board of Directors and Executive Team that despite these efforts I cannot guarantee that all risks have been mitigated and that we will never experience a breach or incident. This work is perpetual and requires ongoing commitment, diligence and organizational support.