Redefining Cyber Risk Management
“We knew there were better strategies than rushing through a risk assessment at the end of every year to check a compliance box,” says Jackie Mattingly, CISO at Owensboro Health.
Mattingly explained that using an isolated approach to cyber risk management meant most of their efforts were focused around their EHR, leaving multiple other risks across the organization unidentified and therefore, unremedied.
“Most of these major EHR systems have a pretty good grip on security for their systems. We use Epic and they have things pretty well buckled up,” Mattingly said. “They’ll actually notify us if they detect an incident but it’s the many other ancillary systems we use that pose a greater threat. You really have to assess risk across the enterprise.”
It can be challenging to get everyone on board with an enterprise cyber risk management program. Mattingly explained that it’s easy for a hospital or health system to find themselves siloed in their approach to security because vendors sell apps, devices, and software to different decision makers across the organization. It would be easy for someone in a clinical specialty to make a purchasing decision for technology that can improve diagnostics and patient outcomes without realizing that the technology violates certain aspects of the organization’s security policies.
Mattingly says this doesn’t mean a purchase gets shuts down, but rather that their Cyber Security Committee reviews and documents all the risks and finds other ways to isolate and remedy the risks posed by the vendor’s software.
“We’re all in this for patients,” Mattingly said, “so if it’s the best thing for the patient we will take a look at how we can use the technology safely within the organization while still protecting our systems, assets, and most importantly, patient data.”
Confidence in the Face of an OCR Investigation
Owensboro Health has been working with Clearwater since 2016, utilizing the IRM|Pro® software to assess, document, and remedy threats and vulnerabilities. Clearwater’s consulting team has helped Owensboro conduct risk analysis, workforce training, mock OCR audits, and more. Mattingly says the partnership was key when they found themselves face to face with an OCR investigation a few years ago.
“The team involved in the OCR investigation got on the phone and when we told the OCR that we were working with Clearwater they were satisfied. They said, ‘you’re good.’ It could have gone on longer and had a different outcome but working with Clearwater gave us and the OCR a different level of confidence that we were covering our bases.” Mattingly said.
Early in 2021, Owensboro Health decided to expand their cyber risk management strategy and initiate a continuous, comprehensive enterprise cyber risk management program through Clearwater’s managed services program, ClearConfidence™.
Mattingly says she meets weekly with the Clearwater team to assess systems and risk across the organization. Gone is the panic at the end of the year or the surprise when it comes time to conduct interviews. She says the organization is more familiar with the questions they ask, and the process for managing cyber risk and protecting patient data is now widely accepted and appreciated. As an executive leader, Mattingly says that having Clearwater’s team of industry experts to bounce ideas off or help tackle complex risks is key to ensuring the organization is secure against the ever-changing threat landscape in healthcare.
“We’re all in this together, and it takes a village to combat what we’re dealing with today in the current cybersecurity environment,” says Mattingly. “We’re all fighting the same fight to protect our data and take care of our patients; I think this partnership will continue to grow.”
Deliverables:
- Create a comprehensive cyber risk management program to reduce inefficiencies and create organizational buy-in to critical cybersecurity standards and policies
- Deliver ongoing risk assessment on new and existing information assets
- Partner in ongoing strategies to enable the organization to leverage innovative technology while protecting patient data
Outcomes:
- Clearwater’s ClearConfidence™ managed services program equips Owensboro Health with access to industry experts to help troubleshoot and remedy organizational threats and vulnerabilities continuously
- Weekly meetings between Owensboro Health’s team and Clearwater ensure risk is assessed on an ongoing basis and risks analysis is continually updated
- Owensboro Health employees understand, prepare, and participate in ongoing cyber risk management initiatives with better familiarity and a shared understanding of the value and importance of the program