3 Key Initiatives for Understanding and Communicating Risk to Your Stakeholders Effectively
The modern healthcare landscape is rapidly changing due largely to healthcare organizations investing in and adopting new technologies and digital services.
Across the industry, organizations are deploying new applications to drive disease prevention and better manage chronic health conditions. New technologies also facilitate better patient engagement and compliance with care at home and improve the overall patient experience.
There’s also increased use of telehealth and remote patient monitoring services, which effectively reduces patient/provider time in an office setting. This helps to reduce costs, provide more consistent communication, and accelerate patient treatment while enabling clinical intervention and support.
In addition to these advancements, healthcare organizations are deploying new and more effective patient care delivery models at scale while investment firms consolidate providers into larger physician practice management organizations. As organizations expand, many are leveraging new technologies as a key part of their business strategy.
While this rapid technology adoption may lead to better and more efficient healthcare, it also introduces new risks to patients and their sensitive data. In addition to this increased risk are also more regulatory and compliance mandates. Many organizations struggle to develop effective, ongoing risk analysis and management practices, especially as enterprises expand and change.
The Symbiosis Between Cyber and Business Risk
Today’s healthcare landscape includes an ever-growing attack surface – more data, applications, and endpoints.
Healthcare providers are more dependent on technologies to deliver experiences patients want and expect, and as a result, the amount of data shared has increased. In many cases, the systems that create and transmit this data are critical to care delivery.
Covered entities face risk management challenges as their business associate network grows, especially as they share electronic patient health information (ePHI) with more third and fourth parties.
Cybercriminals are taking advantage of this. They target healthcare, knowing that patient data is valuable, and in many cases, healthcare cyber defenses are immature. Healthcare falls victim to more ransomware attacks than any other industry. And a recent report found that some 25% of healthcare organizations that experienced a ransomware attack were forced to halt operations completely. Another 24% of provider organizations who experienced a ransomware attack reported an increase in mortality rate following the attack.
Cyber risk is an often-overlooked-yet highly impactful-business risk. Surprisingly, many healthcare organizations only conduct annual high-level control assessments and don’t spend the time to assess risks at the information system level. As a result, they don’t truly know where gaps exist and leave potentially high risks unmanaged.
Healthcare organizations must evolve their security and compliance programs beyond completing high-level control assessments and conduct comprehensive risk analysis of all ePHI systems.
Knowing your risks, keeping systems up and running, and protecting ePHI are essential, not just in terms of operational resilience but also in meeting HIPAA compliance and achieving business goals.
And effective risk response and management for cyber resilience isn’t a one-and-done process. Responding to and managing risk should happen on an ongoing basis. That includes all systems with ePHI and those critical to operations.
So, what does this mean for your healthcare organization? In many cases, improvements will be needed to achieve cyber resilience.
Understanding Business Risk
Ultimately, cybersecurity is a business risk. The business decisions that boards and executives make are typically supported with data and analysis, but there has long been a disconnect between IT, security, and compliance teams and their stakeholders.
Why? Because far too often, these teams present technical information stakeholders don’t understand instead of connecting security and compliance directly to business objectives.
Here’s a good example: have you ever requested critical and much-needed investments into your programs only to have them denied for cost savings? This often happens because security and compliance teams don’t give executives enough data to back up those requests. And, even when they do, that information frequently lacks quality and isn’t based on specific scenarios the organization faces. There’s rarely alignment with business goals and program objectives.
However, you can get executive buy-in and support by connecting business risk and cyber risk for them. The following three initiatives should be part of your cybersecurity strategy as they are critical to helping you understand and mitigate cyber risk more effectively and will help you communicate your cyber and business risk more effectively.
- Conduct an enterprise-wide risk analysis of all your ePHI information systems at the information system level.
Enterprise-wide risk analysis at the information system (or application level) may seem daunting, but automating and streamlining these processes makes for more efficient analysis and more complete outcomes. Clearwater does this through its IRM|AnalysisÒ software. Using the software, our deep bench of cybersecurity and compliance experts (or the provider’s internal risk analysts) inventory all an organization’s applications (and their components) that handle ePHI, identify vulnerability and threat scenarios, evaluate controls, and determine the likelihood and impact of risk to the organization.
This rigorous and comprehensive process is made easier with technology that can fill many healthcare organizations’ gaps due to a lack of skilled professionals and limited resources and budgets. Additionally, now the organization has this information in a platform they can use to conduct ongoing risk analysis as changes to their environment occur.
You can use the built-in analytical tools and identify common control deficiencies contributing to the greatest risks in your organization. Reporting tools help you communicate risks-and the most optimal risk mitigation actions-directly to your C-suite and board in terms they understand.
With this approach, you can provide more tangible, specific, and actionable remediation plans to your key stakeholders to optimize security investments that result in the greatest risk reduction for dollars spent-and your teams will be better poised to get the financial and other types of support needed to meet your security and compliance objectives.
- Complete a Business Impact Analysis (BIA)
Breaking down traditional silos between IT, security, and compliance with your executives is a balancing act. It’s important to illustrate effectively (often in dollars and cents) the reality of the impact of ransomware or breach of ePHI.
Conducting a BIA is one way to solidify the relationship with your stakeholders and demonstrate the value of risk reduction.
A BIA should include direct engagement with business and clinical leaders-not just IT or security-to map out business and clinical processes for all departments across the organization.
Begin with business processes and then expand into a closer look at specific information systems, people, and infrastructure supporting those processes.
It’s important to consider what could happen if a certain system went down, the impact on patient care delivery and safety, and the business. This helps identify costs and can be used to determine recovery time objectives (RTOs) and recovery point objectives (RPOs).
By conducting a BIA, your organization can reap the benefits of what happens when business leaders better understand how important technologies are for operations and that reducing risk to those systems is paramount.
- Leverage Threat Detection and Response
Threat detection and response is another area where healthcare organizations often invest too little; however, it’s critical for cyber resilience.
We’ve seen healthcare organizations laser-focused on the newest technologies, tools, and features throughout the years without getting actual value from those tools because they don’t have the resources or expertise to properly configure them or use them as intended to deliver optimal results.
Ask, “Does this tool do what it’s supposed to do in our specific environment?”
Security, IT, and compliance resources are also scarce for most healthcare organizations. It is difficult to realize the full benefits of these tools when one does not have the people to use them -but even so, threat detection and response cannot be overlooked.
A better approach for many organizations may be to outsource their threat monitoring, detection, and response to a managed security services provider with a dedicated 24x7x365 Security Operations Center.
Healthcare organizations are learning the hard way (i.e., increased breaches and record exposures) that cybersecurity is increasingly complex. As a result, they need more support from partners specializing in risk management, security, and compliance to augment internal resources as an extension of existing teams.
Managing Spend
Because of resource constraints and financial challenges, healthcare has long underinvested in cyber resilience. A common question is, “How much will this cost?”
The reality is that it’s difficult to put a number on how much an organization should spend on cybersecurity as a percentage of an IT budget. Why? Because so many areas are important.
How much an organization invests in each area of its cybersecurity program should be based on risk tolerance and resources.
Too often, however, healthcare organizations don’t focus enough time and energy on risk analysis and risk management. And, while there may be a tendency to buy the latest and greatest tools and technologies-there’s often a void in determining if it will drive down the greatest amount of risk.
Healthcare organizations should use risk analysis to identify risks above their risk threshold. If a risk is above that threshold, determine if your organization will accept, transfer, avoid, or mitigate that risk. Risk mitigation may require additional investments to bring that risk to an acceptable level.
The takeaway: if your organization is evaluating an IT investment, be sure to budget to assess risks and factor risk into your investment. Conduct a business impact analysis, and evaluate alternatives that are more practice to monitor for and respond to threats.