6 Security Measurement Best Practices Every Healthcare Organization Should Know

Authors Thomas Bunger, Information Security Consultant and Fronz Batot, Information Security Consultant

In today’s digital healthcare landscape, the industry’s complex technology infrastructure and reliance on connected devices constantly risk sensitive patient information, critical medical systems, and patient care delivery. The consequences of a single successful cyberattack can be devastating—everything from disruption of essential services to patient harm, including potential loss of life.

Given the high stakes, healthcare security leaders and CISOs need a clear understanding of their organization’s cybersecurity posture, which is nearly impossible without establishing and tracking key cybersecurity measurements that identify security weaknesses and help manage risk.

Without these quantifiable insights, security teams operate in the dark and cannot effectively prioritize risks or demonstrate the effectiveness of their security and compliance programs. This puts healthcare organizations at risk of costly data breaches, operational disruptions, non-compliance penalties and fines, patient harm, and irreparable reputational damage.

To effectively manage these risks, healthcare organizations should proactively monitor key security indicators to improve overall security posture and better protect patients and their sensitive health data.

What are Cybersecurity Measurements in Healthcare, and Why Are They Important?

Cybersecurity measurements, or security metrics, are quantifiable indicators to evaluate your organization’s security posture against cyber threats. These essential tools enable your security teams to identify vulnerabilities, monitor security maturity progress, and make informed resource allocation and compliance decisions.

By analyzing metrics such as the number of security incidents within a specific period or the time it takes to identify and resolve them, your teams can identify weaknesses in your infrastructure, systems, and processes to prioritize and remediate risks before malicious actors exploit them.

Cybersecurity metrics also help ensure regulatory compliance, such as with HIPAA. Tracking and improving metrics related to employee training and education, data security and privacy controls, or incident response demonstrate adherence to regulations and prevent potential penalties for non-compliance.

These metrics also provide valuable data that informs strategic decision-making. By understanding the effectiveness of existing security controls and comparing performance against industry benchmarks, your teams can make data-driven decisions and identify areas for further investment or focus.

Examples of Cybersecurity Measurements in Healthcare

• Mean time to detection (MTD): MTD measures the average time it takes for your teams to identify a security incident. It’s an important metric because it highlights response efficiency and helps prioritize detection capability improvements.
  • How to do it: Define what constitutes a security incident (for example, unauthorized access attempts and/or a full-blown data breach). Next, implement a security information and event management (SIEM) system or other tools to centralize logging and provide real-time security monitoring. Use intrusion detection systems (IDS) to alert security teams of potential anomalies and ticketing systems to track incident detection time, actions, and recovery time.
• Mean time to recover (MTTR): Track the average time to contain and resolve a security incident. A lower MTTR signifies faster recovery and reduces potential damage.
  • How to do it: Delineate incident resolution stages (e.g., containment, investigation, remediation). Complete and maintain detailed documentation within your incident response plan about the steps taken to resolve an incident. Use a ticketing system to track the start and end times of each stage.
• Number of critical and high vulnerabilities: Track the number of unpatched vulnerabilities and other security weaknesses (for example, misconfigurations) in critical systems to identify and prioritize areas for immediate remediation to prevent potential exploitation.
  • How to do it: Categorize vulnerabilities by severity (critical, high, medium, low) based on industry standards like CVSS or risk analysis. Use continuous vulnerability scanning tools to identify security issues regularly. Prioritize patching and vulnerability remediation based on your organization’s actual risk. Use automation tools to identify and track all assets, vulnerabilities, and remediation status.
• Number of Risks above Threshold per information system or application: Track the number of risks above the organization’s threshold relative to the number of systems, applications, or associated components in scope.
  • How to do it: Assess risk at the system, application, or associated component level. Categorize risks based on likelihood and impact. Prioritize treating risks that pose the most impact on the organization and the number of risks per system and application.  

Other practices to consider:

• Create regular reports with data visualization tools to illustrate metric trends that speak to stakeholders in a language they understand and correlate those reports with business goals.
• Compare your metrics to industry standards or competitors to gauge performance.
• Use metrics to identify areas for improvement and adjust cybersecurity and compliance strategies and processes accordingly.

The Role of Cybersecurity Metrics in Response and Recovery

In August 2023, attackers hit Community Health Systems (CHS), one of the largest publicly traded U.S. hospital systems, with a ransomware attack that exposed more than 1 million patient healthcare records. The attackers breached the system through a managed file transfer platform (FTP) called GoAnywhere. They exploited CVE-2023-0669, a vulnerability that allowed them to execute remote code on unpatched GoAnywhere MFT instances where the CHS administrative console was open to the internet. Normally, the console is only accessible from within private networks, assigned IPs, or virtual private networks (VPNs). The ransomware group responsible for the attack, Clop, claimed they stole CHS data over 10 days while moving laterally through the organization’s networks.

This incident underscores the importance of MTD in mitigating the impact of a cyberattack. By implementing strong detection controls and aiming for a low MTD, healthcare organizations can identify and respond to threats more effectively, potentially limiting damage and hastening recovery efforts. This reduces disruptions to patient care and can also lower the overall cost and impact of an attack.

A lower MTD could have:

• Potentially limited attack scope and minimized the number of affected records.
• Allowed CHS to isolate compromised systems faster.
• Enabled CHS to activate an incident response plan sooner, facilitating a faster recovery and minimizing disruptions.

6 Security Measurements Best Practices Every Healthcare Organization Should Know
The CHS attack is an example of what many healthcare organizations of all sizes experience daily. That’s why, if you haven’t already, now is the time to set and implement critical cybersecurity measurements to decrease cyber risk and mature your healthcare security and privacy programs. While a variety of factors unique to your organization will direct which measurements you should track, here are five best practices every health organization should consider:

1. Know what you want. Start by clarifying your organization’s security goals. Make sure your goals follow the S.M.A.R.T methodology. Your goals should be:

• Specific
• Measurable
• Achievable
• Relevant
• Time-bound

Goals like “We want to improve our security operations center’s (SOC) performance” are too general to provide clear direction. Instead, narrow and clarify the goal, for example, “Improve our SOC’s incident recovery time by 10%.”

• Don’t reinvent the wheel. There are plenty of resources available with useful security measurements. Utilize documents from trusted sources such as the National Institute of Standards and Technology (NIST) and the Center for Information Security (CIS):

• Special Publication 800-55 Vol. 1 – Measurement Guide for Information Security: Identifying and Selecting Measures
• Special Publication 800-55 Vol. 2 – Developing an Information Security Measurement Program
• CIS-Controls-Measures-and-Metrics-V7 (contains more than 170 examples of measurements for security controls.)

• Draw a line in the sand and make that your starting line. This will help you better understand whether your security efforts produce desired results. Create a baseline starting point to measure and gauge your performance and improvement efforts. For example, today, what is your MTTR?

• Improve the process. Fix the problems. Don’t just focus on performance. You can work your SOC team harder, but is that effort sustainable? Instead, use your measurements to uncover problems or opportunities for improvement. Consider looking at your entire security program from beginning to end and then analyze each component. Consider these measurements when analyzing your overall process:

• Implementation
  • What number or percentage of our systems does the SOC monitor?
  • Are all critical systems adequately monitored?
• Effectiveness
  • What is the level of customer satisfaction with the SOC team?
  • Is the team adequately trained to triage events and incidents?
• Efficiency
  • How long does it take the SOC team to respond to an incident?
  • Are they meeting expectations and stated service level agreements (SLAs)?
  • Is the team adequately staffed to contain incidents and events?
• Impact
  • Is the SOC providing higher service levels at a lower cost than an outsourcing partner?

• Don’t be afraid to start over. If your measurements are not useful, don’t be afraid to change them or throw them out and start over. Your measurements should serve your business. Measurements and metrics are tools to evaluate your success and make more informed decisions. If your measurements do not provide value, implement different ones to meet your business needs.
  
• Always ask: Are these measurements meaningful? Are they useful? Your measurements don’t have to be perfect as long as they move you toward your goals.