BLOG

What does it mean to win at cyber risk management?

Succeeding in cybersecurity and risk management is not about stopping a single attack or checking a box for compliance or security control implementation accomplishments. It is not about climbing a mountain, planting a flag, and declaring victory. Instead, cyber risk management is a dynamic game where the rules, adversaries, and tactics are constantly changing and evolving.

Cyber risk management has become the ultimate endurance sport that requires relentless conditioning, practice, teamwork, and assembling the right equipment, leaders, and gameplan to prevail day in and day out.

This blog post provides a playbook for assembling elite healthcare cybersecurity and risk management programs that are built to endure and dominate the game we have all suited up to play.

Assemble a High-Performing Team: Get Good Coaches and Players

Great teams are inevitably a product of assembling great coaching and players that excel at their designated positions. The following areas are essential to building a cybersecurity team that knows how to win.

• Leadership – Healthcare cybersecurity and risk programs need a strong leader to succeed. Having a dedicated CISO that understands the industry and has the requisite experience to teach and guide the team is essential for a high-performing program. This can be a full-time CISO or a part-time Virtual CISO (vCISO) depending on the organization’s size and needs. However, leadership responsibility does not rest solely with the CISO, every team member must be willing to step up and lead the organization using their own specific skill sets and capabilities.
• Recruiting, Hiring, and Retention – Great team members and skilled players aren’t always available when we need them the most. Cybersecurity teams must be proactive in hiring, training, and recruiting top talent at all times. Like many major sports, we have salary caps and budgetary limitations and a finite set of top players in the industry that can join our team. Check out Meditology’s Cybersecurity Talent Supply & Demand: Healthcare Hiring Guide for recommendations for building an elite cybersecurity team.
• External Partners – Sometimes you need to bring in some substitutes to provide fresh legs, energy, and ideas to jump-start or boost a team’s results. Cybersecurity programs have increasingly come to rely on skilled and specialized third-party cyber solutions providers to bring in the expertise or manpower to move projects across the goal line. Meditology Services and CORL Technologies offer a range of services to support your program including staff augmentation, third-party vendor risk management, HIPAA compliance, HITRUST & SOC 2 certification support, and much more.
• Engage the Fan Base (i.e. Engage the Business) – Business leaders outside of IT, cybersecurity, and compliance can often be the greatest supporters and influencers for change in the organization. Similarly, every member of the workforce has a role to play in securing a win and defending the organization against cyber-attacks. It is essential to engage the fan base and educate and arm them with the cyber intel needed to defeat adversaries on all fronts.

Have the Right Equipment

Even the best players can be hampered or fail in their objectives if they don’t have the right equipment and tools to do their job effectively. Cybersecurity and cyber risk management can no longer be managed by spreadsheets, emails, and manual processes alone.

• Security Tools & Automation – The cybersecurity solutions and tools space has exploded in recent years, to the point where identifying the best equipment for your team can be a daunting challenge. Automation is required to scale our cybersecurity programs and improve the quality of our performance. Healthcare organizations must invest in tools and automation capabilities but must also ensure that those tools have the proper strategic planning and manpower in place to make them effective.

Training and Conditioning: Get in Good Cyber Shape

• Master the Fundamentals – Michael Jordan is famously one of the most talented athletes of modern times, but it is often overlooked how obsessed he was with mastering the fundamentals of his sport. Cybersecurity leaders and teams can, at times, be tempted to launch into investments into the latest and greatest technology solutions or buzz terms of the day. However, the fundamentals of strategic planning, aligning with security control frameworks, and maintaining proper “cyber hygiene” remain the most effective ways to build and sustain a winning cyber franchise. Each control domain requires attention and a dedication to continual improvement in areas including but not limited to access controls, audit logging and monitoring, third-party vendor risk management, and more.
• Practice – There is no athlete in the world that can excel in their sport without practice and preparation. Practice creates the muscle memory required to deliver peak performance at the times that matter the most in the game. Cybersecurity programs and healthcare organizations must be continually practicing and simulating attacks and response activities to build the proper muscle memory to defeat cyber adversaries. This includes but is not limited to conducting routine penetration testing exercises, security risk assessments, and tabletop incident response simulations.

Call the Right Plays

Cybersecurity, like many team sports, requires a skillful coordination of players and skill sets that can work together to execute the right play for the right moment. There are times when underperforming cybersecurity teams can resemble kindergarten soccer teams, where all the players wildly chase the ball in a frenetic herd formation.

A high-performing cyber risk management team needs planned activities and playbooks that are tailored to the moment. For example, an effective ransomware attack response may look very different from an effective response to a lost or stolen laptop. The following areas should be considered for developing the proper playbooks for cyber risk teams.

• Strategic Planning – Cybersecurity programs must develop a cohesive strategic plan to operate at a high level. This includes multi-year strategic planning, informed by risk assessment data and external threats, that establishes a prioritized roadmap for the continued maturity and operational effectiveness of the team. Strategic plans should be aligned with industry standards like NIST and HITRUST that can ensure that major control areas and considerations are incorporated.
• Adapt to Gametime Conditions – It has been said that no plan survives contact with the enemy. A good strategic plan must be flexible and adaptable to situations on the field. Emerging risks like cloud security and medical device security require winning teams to adjust their planned strategies to keep pace with new and evolving cyber risks.
• Playbooks – Incident response approaches can vary greatly depending on the type of incident and severity of the situation. Healthcare cybersecurity programs must develop a set of playbooks designed for the most common and anticipated threats. Common examples of playbooks include malware response, ransomware response, insider threat response, compliance and audit investigation management, and more.

Know Your Competition

Cybersecurity and risk management is not a game played alone, within the comfortable and predictable confines of our own organizations. There are innumerable competitors and threat actors vying to gain access to healthcare organizations and networks for financial gain.

A high-performing cybersecurity program must have a high degree of awareness of the competition. This includes being able to answer the following key questions:

• Who are our adversaries?
• What are their objectives?
• What are their capabilities?
• What are their tactics?
• Where do we match up well and not so well?

Avoid Costly Penalties

Have you ever watched a football game where the team keeps moving in the wrong direction due to unforced penalties and rules violations? Cybersecurity programs are often guilty of similar infractions that move the program in the wrong direction altogether.

Here are some of the most common self-inflicted penalties to avoid in our field:

• Office for Civil Rights (OCR) & HIPAA Compliance – The HIPAA Security Rule has been effective for almost 15 years. OCR, the referees of healthcare cybersecurity, have been enforcing the rules and issuing penalties for noncompliance for just as long. High-performing organizations must become intimately aware of HIPAA rules and regulations and have programs designed to avoid self-inflicted penalties, which are often in the multi-million dollar range.
• Class Action Lawsuits – OCR is no longer the only referee on the field. Class action lawsuits have been exploding on the scene in the last few years as patients have become fed up with baring the burden of cyber breaches with little to no recourse for engaging with healthcare entities to better protect their information.
• PCI Fines – Credit card data and systems remain high-profile targets for cyber adversaries. Healthcare organizations must invest in PCI compliance programs and initiatives to avoid costly penalties from banks.

Measure Progress & Improve

High-performing athletes and teams are increasingly using data analytics and modeling to help take their game to new heights. Cybersecurity and risk management teams must also embrace the age of big data and analytics to inform and mature their programs.

Here are some of the most effective ways to measure and manage the effectiveness of your program to create an environment for continual improvement.

• Security Risk Assessments – Security Risk Assessments have become one of the most foundational and effective ways to measure the maturity of your program. A comprehensive security risk assessment should align with industry-standard frameworks, incorporate ‘trust but verify’ principles, and be conducted on a routine basis to measure the progress of remediation over time. Learn more in Meditology’s related blog post: Healthcare Security Risk Assessment & HIPAA Security Risk Analysis FAQs.
• Penetration Tests – Penetration testing is one of the most effective ways to test your program against real-world, gametime conditions without having to face an actual malicious adversary. Learn more in our related blog post: Take a Pen Test Pill: Inoculation for Ransomware.
• Security Certifications – Third-party validations of your cybersecurity program against rigorous standards are a powerful means of measuring and proving the effectiveness of your program and team. Security certifications like HITRUST and SOC 2 Type II are the most commonly deployed assurance mechanisms in healthcare. Learn more in Meditology’s podcast episode: Certification Symposium: HITRUST & SOC 2 Leading Practices.
• Enterprise Risk Reporting – Effective measurement and management of cybersecurity teams and programs must include correlation of risk reporting data across a wide variety of sources. This includes developing Key Risk Indicators (KRIs), Key Performance Indicators (KPIs), and other measurements. Meditology has developed a state-of-the-art technology and enterprise cyber risk management reporting solution designed for healthcare. Learn more about our capabilities in our Enterprise Risk Reporting service center.

Taking Your Cyber Game to the Next Level

Every high-performing athlete and team needs top-notch coaching and an attitude of continual improvement. Meditology is the place where the highest-performing healthcare cybersecurity leaders and programs come to hone their craft and dominate the demanding endurance sport of cyber risk management.

This is where Meditology comes in. Meditology is the Hank Haney to Tiger Woods, we are the Vince Lombardi to the 1967 Green Bay Packers, we are the Mickey Goldmill to Rocky Balboa…well, the last one is fictional, but you get the idea.

Meditology works tirelessly behind the scenes to develop and maintain the most prestigious and accomplished cybersecurity teams in healthcare. We provide the experience, the knowhow, the tools, and the methodologies that consistently deliver healthcare cyber risk champions.

Contact us to learn more about our services that can help you take your game to the next level and begin to build your cybersecurity and risk management dynasty.