How to Strengthen Your Security Program
Published On February 19, 2021
Blog Post by Kaleb Harris, Research Director - HIT Implementation & Cybersecurity at KLAS
Health systems are experiencing a barrage of cybersecurity attacks. Establishing a strong security program is paramount to thwart bad actors’ plans of gaining access to critical data and systems.
The majority of health systems have a security program in place, but programs will continually need to be strengthened and refined. What can health systems proactively do to continually enhance their security programs? KLAS reached out to five healthcare-focused cybersecurity firms and asked the following question:
“What can health systems do today to avoid pitfalls and gaps in their security programs?”
To optimally manage cyber risk, health systems need to understand their IT systems' scope, the reasonably anticipated threats to those systems, the vulnerabilities within them, and the safeguards in place to protect them. Next, they need to understand the likelihood of those threats exploiting a vulnerability or breaching a system as well as the business impact to their organization if that were to occur. With this information, security leaders can inform their executive team on the existing risk, the investment needed to mitigate that risk, and where to most effectively apply that investment to reduce their risk.
Healthcare security programs are often underfunded, inadequately resourced, and frequently less mature when compared to other industries. Closing this gap must be a priority. While risk assessments are necessary for attestation, they are rarely relatable to the business of healthcare. To be effective, security risks must make sense to top executives and board members and provide clear visibility of potential operational impact. Organizations should move from “qualified only” risk (high-medium-low) and incorporate more quantifiable and actionable language. This approach will increase executive engagement, foster support, and ultimately drive higher value from security programs as they support the business of healthcare.
Health systems should make it an imperative to holistically address risks and threats through the adoption of a risk management framework (RMF). The federal government has created incentives through a recent HIPAA Safe Harbor ruling for health systems that can demonstrate the implementation of “security best practices,” which many experts interpret as the adoption of an RMF such as NIST or HITRUST.
RMF adoption can benefit all organizations by bringing together security, privacy, compliance, and supply chain risks within a unified program. The most effective RMF programs are not one-time events but rather an ongoing process geared toward maturing the cyber resilience of the organization.
As cybercriminals continue targeting the healthcare sector, it is absolutely essential for organizations to execute security fundamentals, namely, education, patching, identity and asset management, and monitoring systems. Significant strides to an organization’s security posture can be made by implementing a consistent patch management strategy, inclusive of third-party patching, along with reviewing users and their access privileges. Having full visibility to network activity is key, as is enabling authorized access controls, such as multifactor authentication. Lastly, education through a comprehensive security awareness program focused on phishing risks strengthens an organization’s overall security posture and reduces its threat attack surface area.
Assess - perform annual enterprise-wide security risk assessments. Use frameworks like NIST and HITRUST. Perform routine penetration tests to find the security gaps before the hackers do.
Maintain Compliance - document your risk analysis and implementation controls aligned with HIPAA and maintain a risk register. Pay attention to major regulatory shifts underway for HIPAA, HITECH, CMS, OCR, and state regulations.
Manage Third-Party Risk - mature and automate your vendor risk management program to combat supply chain risks.
Prepare - update incident response plans and test them often. Focus on ransomware simulations, phishing, and cloud hacking attacks. Expect and prepare for class action lawsuits.
Cybersecurity is a continuous journey and not a destination. Health systems and cybersecurity firms must continually work together to combat the evolving attacks from bad actors. Steady education and concerted efforts to strengthen security programs and tools are essential to start stemming the tide in cybersecurity.