Maturing cybersecurity programs leverage a range of best practices. We take a closer look at these in the new Fortified webinar and panel discussion “Cyber Risk, Budgets, and Patient Safety” hosted by Senior vCISO Tamra Durfee.
Joining Tamra on the panel discussion are Ann Wright, director of IT and informatics at Ortho Nebraska, and Erin Osbourn, CIO at ENT & Allergy Associates, which operates 70 clinics in the Northeast.
The panelists agreed that maturing cybersecurity programs excel at engagement with senior leadership. C-suite leaders often have “cybersecurity amnesia” – forgetting how devastating a single security incident can be. These leaders need frequent reminders that bad actors are getting craftier every day. You can’t build a cybersecurity “house” without maintaining it long-term.
Patient care suffers immediately if an EHR goes down. The most successful cybersecurity programs are those that view system security as a patient-safety issue.
How Allies Can Strengthen Your Cybersecurity Program
Another mark of a maturing program is the ability to integrate key findings from strategic partners. A trusted MSSP can provide ongoing recommendations for ways to strengthen a program. And your cyber insurance provider can furnish risk projection models that put budgeting in perspective. For example, a model might reveal that your organization has a 4% chance that a security incident will exceed current coverage. By implementing certain policies and procedures, that risk could drop to 1%.
A risk projection model makes it easier for hospital leaders to weigh spending choices. Eliminating 24-hour SOC monitoring may seem like a tempting financial option, but it might increase the risk of exceeding your cyber-insurance coverage maximum. Hospital executives need to know that the $50K they think they’re saving today might actually cost the organization far more over time.
Smart Ways to Stretch Your Budget
Maturing cybersecurity programs share another characteristic: the ability to make wise staffing decisions. Creating a Statement of Work (SOW) agreement with a partner can sometimes eliminate the need to add a full-time employee. For example, an MSSP or consultant can develop Bring-Your-Own-Device (BYOD) policies and procedures, so you don’t need to add a staff member for that purpose.
It’s not unusual for highly trained cybersecurity professionals to “jump ship” to other organizations for higher pay. By relying on business partners, it’s less likely that you’ll get into a bidding war to maintain program excellence.
Proven business partners can also help your organization delay purchasing big-ticket items while keeping the cybersecurity program strong. For instance, adding more telemetry data in the SOC can eliminate the need to implement expensive identity/access management solutions.
Managing Third-Party Risk: An Organizational Responsibility
Some healthcare organizations make the mistake of relying on a single department, like procurement or IT security, to handle the daunting task of managing third-party risk. But maturing cybersecurity programs recognize that TPRM is a responsibility that spans every department in the organization, including senior management.
If a hospital CEO asks the question, “Who owns TPRM in our business?”, the answer should be “all of us.” Healthcare organizations shouldn’t add vendors simply because “they’re easy to work with.” The inherent risks must be carefully analyzed.
Here are two examples:
- Every medical device has identified risks, but there’s also a risk if you choose not to replace a 15-year-old MRI machine.
- Many software vendors now have AI embedded in their products. What are the risks to your organization? If a vendor contractually agrees to remediate specific things, what department oversees follow-up?
Cybersecurity programs that continue to mature and improve are the ones that clearly understand that information security is a team sport, not the sole domain of IT.
Watch this informative webinar today to learn more about how your cybersecurity program can stay on the winning path.
