BLOG

Blog Post by Jonathan Elmer, ITRM Team Lead & CISO at Meditology Services

---

The talent shortage in cybersecurity has reached critical levels and healthcare organizations are struggling to find and retain qualified personnel. Our team here at Meditology has seen a significant uptick in placing our virtual CISO (vCISO), CISO as a Service, and Staff Augmentation resources out at clients who are struggling to find, place, and train the cyber talent.

This talent shortage also comes at a time when organizations are seeing increased attention and budgets being funneled to healthcare cyber risk management functions based on the escalation of breaches and ransomware.

The explosion of the “virtual workforce” in the post-pandemic environment is also making it easier for organizations to hire cybersecurity leadership and staff that live outside their primary geographies.

Our team of experienced healthcare CISOs and Virtual CISOs has learned a great deal over the years about how to establish and maintain successful cybersecurity programs at healthcare organizations.

This blog post provides a collection of best practices for establishing a world-class cybersecurity program using virtual or traditional security staffing models.

Critical Success Factors for Healthcare vCISO Programs

There are multiple factors involved in executing a successful security program, ranging from the deploying the latest security tools and tactics to implementing tried-and-true business capabilities like relationship building, communication, and governance models.

The following critical success factors have been identified as having the greatest impact on the efficiency and effectiveness of healthcare cybersecurity programs based on our experience working with high-performing healthcare entities.

Meditology has identified the following eight critical success factors for the Information Security Program, which are grouped into two categories: foundational and political.

Foundational Success Factors	Political Success Factors
1. Skilled Staff	5. Board and Executive Level Support
2. Business and Environment Alignment	6. Workforce Support
3. Structured Approach	7. Community Support
4. Continuous Improvement Model	8. Regulatory Alignment

-
Foundational Critical Success Factors

The first set of critical success factors relate to the development and operation of a core information security team function.

1. Skilled Staff

The successful execution of Information Security Programs is ultimately driven by the quality and capabilities of the team involved. Cybersecurity skills and healthcare experience are in high demand. Healthcare providers are challenged with acquiring and retaining the right mix of information security leadership and staff equipped with the necessary skills and capabilities to effectively manage risk for the organization.

The introduction of virtual security staff and the remote workforce creates an opportunity to widen the scope of cyber talent pools. A hybrid of onsite team members and remote workforce, however, is recommended.

2. Business / Environment Alignment

The information security program and team must maintain continual visibility into the overall organizational priorities and objectives in order to calibrate the program investments and capabilities accordingly. For example, if cost saving is a key business objective, then finding “good enough” options may be preferred rather than selecting “best of breed” solutions that may cost more but have features that are less valuable to the organization than other more critical priorities. If optimal performance is a key business objective, the reverse may be true.

An understanding of the business objectives also allows the security team to communicate in a language and context that can best enable enterprise risk decision making for executive leadership.

3. Structured Approach

A structured approach aligned with industry standard frameworks and models drives efficiencies and improves the effectiveness of security programs. Formal structures allow the organization to better align and evaluate the relationship between plans and outcomes. Industry-recognized standards like the HITRUST Common Security Framework (HITRUST CSF) and NIST CyberSecurity Framework (NIST CsF) also help to ensure the comprehensiveness of the program to avoid missing critical controls or scope that could result in adverse impacts to the organization.

A structure aligned with standards also helps support engagement and communication with external parties and stakeholders across the continuum of care including third party business partners and regulators.

4. Continuous Improvement

A continuous improvement mindset and model is essential for ensuring that the organizational security program learns from the events that happen and the successes and failures of each component and capability. Ongoing periodic assessments and checkpoints are required to validate that each component or task is operating effectively and improving or maturing performance with each cycle.

Political Critical Success Factors

No security program exists in a vacuum. The ultimate success criteria of an information security program depend upon the organization’s ability to engage and enable the business and the community in their shared objectives of delivering safe and effective care. In addition to the Foundational critical success factors for the security program, the following Political factors should also be incorporated into the program.

5. Executive and Board Level Support

Executives and business leaders in healthcare settings including Board of Directors members have become increasingly aware and interested in cybersecurity matters in recent years. Engaging with executive leadership to address and advise on security program initiatives is essential to the management and response to cybersecurity incidents and program considerations.

Investment in the security program and executive support are fundamental to driving and maintaining a culture of information security across the enterprise.

6. Workforce Support

Information security is everyone’s responsibility. An information security program is most effective when the workforce is well informed and equipped to protect the enterprise from an increasingly sophisticated threat landscape that often targets end users. Failure to engage the workforce – consisting of employees, contractors, consultants, volunteers, and any other team members –  can result in security breaches and outages sourced from both intentional and unintentional violations of protocol.

7. Community Support

Failure to gain support from the wider community, due to either the actual or perceived failure of the security program can result in additional regulatory and journalistic scrutiny as well as reputational damage that can impede the success of the overall organization. Successful Information Security programs must put patients and the community first in their decision making and investments in information security protections and response capabilities.

8. Regulatory Alignment

Adherence to state and federal regulations including the HIPAA Security Rule is a fundamental expectation and requirement for healthcare entities. Healthcare breaches and enforcement activities from the Office for Civil Rights (OCR) have been on the rise in recent years. Security breaches have resulted in sanctions ranging from civil monetary penalties (i.e. fines) to substantive costs related to ongoing government oversight and corrective actions.

Virtual CISO Leading Practices

A fractional CISO or virtual CISO can have its advantages in terms of budget and access to highly-experienced cyber leaders, however, there are some risks and tradeoffs that need to be managed based on the remote nature of the role.

The development of formal strategic and operational plans is essential to keeping the team and program on track when the team is spread out across different geographies. Tactical plans should be developed that include Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs) to track progress of the program.

Routine checkpoints and a formal communication plan are also critical to keeping the business and cyber risk teams on the same page. This may include daily operational team calls, participation in standing IT and business meetings, monthly leadership briefings, and quarterly executive reports.

Depending on the organization’s size, security programs should also have a dedicated security team member at a manager or director level onsite to provide ‘boots on the ground’ support for the VCISO.

Contact our team here at Meditology to learn more about our healthcare virtual CISO & staff augmentation services and how we may be able to support your cyber risk program.

Our virtual and staff augmentation resources include, but are not limited to:

• Interim & Virtual Healthcare CISOs
• Cloud Security Specialists
• Security Engineers
• Auditors & Compliance Staff
• Vendor Security Risk Management Experts
• Security & Privacy Analysts & Managers
• Penetration Testers
• HIPAA Experts
• Medical Device Security Experts