“Your first report is going to be bad-and that’s ok,” says Chuck Podesta, CIO of Renown Health.
Podesta is referring to a risk analysis report, which Renown Health does annually to ensure they understand where their greatest risks lie, how they’ve changed over time, and ensure they have controls to address them. In a recent conversation with Clearwater VP of Consulting Services Dave Bailey, the two discussed the importance of having good baseline data-even if that data is scary.
Podesta says the baseline report of your risk analysis is key to building a great remediation plan and ultimately creating something that can be built upon year after year. “Every year, new things come up; five or six years ago, we didn’t even think about ransomware, and now it’s one of the most dangerous things out there,” explains Podesta.
Bailey stresses that having a plan and working that plan is critical to building organizational resilience. If cyber resilience is the ability to operate in chaos effectively, knowing what to do in a crisis, having practiced it prior, and anticipating that chaos will occur can be the difference between shutting down an attack before it impacts patient care and having a full-blown crisis on your hands.
The implications to patient safety are enormous and somewhat new regarding ransomware and other cyberattacks. “One of the things we’ve always known is that cyberattacks cause a financial burden,” explains Bailey. “But what’s really alarming is that 22% of healthcare organizations reported an increase in mortality rates associated with cyberattacks.”
The good news is that leveraging cybersecurity best practices-and being able to demonstrate that those practices are in place before an incident-is not only favorable in the event of an audit or investigation but creates the kind of security posture that makes an organization less vulnerable to an attack and better able to respond and mitigate the impact should an attack occur.
While the following five best practices aren’t the only ones you should have embedded in your cybersecurity strategies, they top the list and offer organizations a good way to begin forming and maturing their plans.
Five Best Practices for Building Cyber Resiliency
Ensure You’re Insured
Cyber insurance is an important tool in your toolkit; it’s there to help protect and aid your organization in the event of a breach. However, claims are also increasing as cyber incidents increase. In response, insurers are adding requirements for clients to reduce the likelihood of being asked to pay on a policy. Alongside added policy requirements, cyber insurance premiums are rising-so much so that some healthcare organizations are considering a self-insured approach.
Among the added requirements insurers are looking for, these four have become critical:
- Continuous Security Monitoring: without the ability to continuously monitor your environment, you are defenseless in detecting a cyberattack.
- Endpoint & Network Detection & Response: The endpoint is still an extremely critical part of the attack surface. If you don’t have good endpoint protection, it’s very difficult to thwart disruptive attacks.
- Multi-Factor Authentication: You should be using multi-factor authentication everywhere that you’re protecting sensitive and privileged information. Every person in your organization is part of your attack surface and threat actors are looking to access identities and credentials. Multi-factor authentication is a great way to limit a bad actor’s ability to gain access to this information.
- Privileged Access Management: Do you have the ability to manage the folks that need elevated privileges inside an environment?
Know Your Supply Chain Risk
Healthcare delivery is more dependent on technology and third-party partners than ever before. Digital health innovations have helped healthcare meet the demands of healthcare consumerism, sped up diagnosis and care delivery, connected the continuum of care, and extended the reach of physicians and care teams to underserved, rural, and hard-to-reach locations and populations. Our dependency on connected technology has also made us vulnerable. The current threat landscape mandates that healthcare organizations no longer trust vendors without validating that vendors can demonstrate that they have the right level of security in place.
Bailey and Podesta say it’s imperative that organizations understand who has their data and who is regularly processing, storing, moving, and interacting with that data. Business impact analysis (BIA) is a key component of this strategy as it helps organizations assess and understand the function of each technology component they’re leveraging and how detrimental it would be to the business and patient care if that piece of technology were no longer available.
Podesta also encourages healthcare leaders to go beyond simply getting a signed business associate agreement and get a line of sight into a vendor’s security program and risk assessments. It’s not uncommon for a threat actor to breach a vendor and then use their network to launch phishing campaigns across all the people the organization serves.
Continually Assess Risk
You can’t protect what you don’t know, so it’s important that organizations assess risk across all assets. Further, Bailey says it’s time for organizations to move away from the paradigm of one-time risk analysis or wait for long periods between repeat risk analyses. There’s simply too much change to an organization’s threat landscape to forgo continuous risk analysis. Two major contributors to an organization’s risk landscape include the rate at which they adopt new technologies and the rate at which bad actors find new ways to target organizations.
Part of a rigorous risk analysis is determining an organization’s risk threshold and evaluating all its identified risks against it. This is how organizations can consistently determine which risks can be tolerated and which risks must be mitigated.
Bailey says no plan is perfect, but organizations will be much better protected if they develop a plan and work it accordingly.
Podesta says a continuous cycle of risk analysis is key to Renown Health’s improvement plans and something they take more seriously today than ever before. He also explains that assessing risk for compliance and assessing risk for cybersecurity are different. While checking a compliance box may not be sufficient to protect information assets, a true asset-based risk analysis can accomplish both. Podesta says, “we’re in the patient care business-this is our duty. If you don’t have a program like this in place, it’s a detriment to your organization.”
Eliminate Legacy & Unsupported Systems
Nearly every-if not every-healthcare organization today has to run or operate some kind of legacy or unsupported environment. It’s a big problem in healthcare as maintaining legacy systems safely requires a high level of rigor. Organizations must evaluate how many versions of software they’re willing to accept past the latest level of support, their total cost of ownership, and try to minimize the exposure to the organization. Strategies like segmentation can help protect the rest of an organization’s network from the vulnerabilities of legacy systems but security challenges will remain.
Bailey explains, “these systems still have to talk and communicate with other systems in the environment, which doesn’t minimize their exposure to the overall attack surface, so it’s really important to have a plan for this technology in place.”
Podesta recommends a strategy that Renown Health uses called “application rationalization,” a process by which technology is inventoried and evaluated for its use and benefit to the organization. If the technology isn’t being used, isn’t efficient, or is redundant, it’s removed from the network.
This is particularly helpful in large organizations where technology gets purchased because it’s new and exciting but doesn’t always deliver on its promises. When this happens, it’s not uncommon for it to be forgotten while staying connected to the network. Organizations will continue to pay for software maintenance even though no one is actively using the technology, contributing not only to higher software expenses but also to unnecessary risk.
Validate, Practice, and Rehearse
If you’re going to say that you can operate under duress and minimize the impacts of a cyberattack, you cannot validate, practice, and rehearse enough. Those behaviors and processes should be embedded in your teams. If you invest millions of dollars in safeguarding and protecting your data, people, processes, and business, you must validate that those investments are doing what you expect them to do.
In other words, can they really stop an attack?
It’s critical that organizations operate with a “when, not if” mentality when it comes to cybersecurity, and with that posture, a plan for responding to the chaos of a cyberattack simply isn’t enough. It’s important that every person with a role in the plan practices making decisions under duress and without much information because that is the only way to get good at executing the plan.
Consider how your teams will respond to the stress and anxiety of getting hundreds or thousands of phone calls from colleagues who cannot access the system because there’s a ransomware message on their screens threatening to go public. Without having been exposed to that level of chaos, they are unlikely to be equipped to execute disaster recovery or business continuity plans.
Implement best practices now-reap the benefits later.
It’s hard to be resilient without a well-rehearsed strategy, so building these practices into your organization’s normal behavior is important.
Organizations often struggle to be vigilant about threats that feel far away, but the reality is that cyber threats are ever present and much closer than you might realize. As phishing attempts become more convincing and ransomware more dangerous and brazen, no organizational size or structure is immune. When it comes to patient safety and organizational resilience, your thorough, rigorous, and methodical planning will be why your organization comes through a cyberattack without crippling care delivery, finances, and your organization’s reputation.
Getting started can feel daunting. The results from a risk analysis or BIA might raise your blood pressure but cyber resiliency requires that you learn to look for the gaps, bad news, or unfavorable results so you can make informed decisions and respond appropriately.
Don’t go it alone. The Clearwater team is ready to help you tackle your known and unknown vulnerabilities with a deep bench of cybersecurity experts who live and breathe healthcare. Whether you need a BIA, your first true risk analysis, or someone to help you manage your entire program, we can help. Let’s get started.