Challenges with human capital and leveraging technology

When Ann Wright, Director of IT and Informatics at OrthoNebraska Hospital, assumed oversight of the clinical and technology teams a few years ago, it gave her a holistic view of the organization’s network, systems, and information security.

Despite recent improvements, Ann and her team discovered significant gaps in incident response and security operations, including Managed Detection and Response (MDR), and security information and event management (SIEM).

Cybersecurity expertise and staffing were also a challenge.

“We needed dedicated roles for an Information Security Officer, SOC and SIEM management, medical device monitoring, and vendor risk assessments, etc.,” explains Wright. “The internal lift was far too big for one person to handle. And even if we found a unicorn that could handle it all, it would be cost prohibitive to hire them. Additionally, we desired a resource who would be able to scale with our growing organization. We knew our best path forward was to partner with a managed security services provider (MSSP).”

Streamlining security solutions with a new partner

OrthoNebraska received a recommendation from a trusted health IT supplier to consider Fortified Health Security. And as it turned out, Fortified offered a Virtual Information Security Program that could provide OrthoNebraska access to an experienced security and compliance leader (vCISO/VISO), along with a skilled team of cybersecurity professionals that could support their technology and human capital investments.

Fortified’s Threat Management and SOC services, including SIEM, threat assessments, incident response services, as well as the technology and systems they use to gather meaningful and actionable data, would also make it possible for OrthoNebraska to address their information security gaps while streamlining vendor services.

“Managing vendor partnerships can be a job in itself. Having a single point of contact in our vCISO, who could provide guidance while also overseeing our SOC and SIEM was incredibly appealing. It would enable our team to concentrate on other priorities and operate more efficiently,” says Wright.

Securing the house

After careful evaluation of three other MSSPs, Wright and her team concluded that Fortified was the optimal solution to meet OrthoNebraska’s immediate and future needs. However, gaining support from senior leadership was also essential for progressing with the decision.

Rather than emphasizing the technical aspects of Fortified’s solutions, Wright shared her recommendation by drawing an analogy between the organization and a house.

“When considering how people typically protect their homes and the valuables within, they install sturdy locks on doors and windows.  However, as we discovered from a ransomware attack in 2016, breaking a window or picking a lock is not difficult,” shares Wright. “Even after reinforcing our windows, upgrading door locks, installing a home security system, and acquiring guard dogs for the front yard, these measures could still be breached. To continue with this analogy, I emphasized that to adequately protect our ‘house,’ we needed guard dogs both inside and outside, round-the-clock surveillance with cameras and human monitoring, stronger doors, keyed locks, and even potential window bars. Fortified Health Security’s offerings would make this comprehensive protection possible.”

Wright’s analogy not only clarified OrthoNebraska’s needs and justified her recommendation of Fortified to the senior leadership team, it also illuminated what was needed in order to effectively safeguard the organization.

Mindful implementation – a collaborative approach

Having obtained support from OrthoNebraska’s senior leadership, Wright coordinated with the Fortified team to implement the cybersecurity services in ways that wouldn’t overwhelm her own team.

Fortified took charge of the intricate tasks involved in setting up the necessary people, processes, and technology, allowing Wright’s internal team to remain available on an as-needed basis.

“The Fortified team was very mindful and respectful of our time,” says Wright. “Everyone we worked with during the implementation process was cognizant about our resource allocation and careful to not cause undue disruption or turmoil.”

Successful results and a positive partnership

A year and a half into the partnership, Wright and her security team have been able to focus on managing their network and system more efficiently. They’ve also had no incidents to report.

“The fact that I’ve been able to just update the senior leadership team without having to ask anything of them has been really satisfying,” said Wright. “In the realm of cybersecurity, no news is good news. It’s great to have a partnership where we can focus on our day-to-day work and keep things running smoothly.”

Another positive outcome was the impact on OrthoNebraka’s cybersecurity insurance.

In recent years, obtaining industry-wide cyber insurance for hospitals has become increasingly challenging, with complex underwriting processes and continuously rising premiums. Due to the partnership with Fortified, Wright had complete confidence in their security measures when filling out the insurance renewal questionnaire. Her responses also boosted the actuarial confidence of the insurance companies.

Not only did their provider reduce their premiums by 23%, but several other companies were competing for their business as well.

“The time and cost savings, improved efficiencies, and the confidence gained from better protecting our ‘house’ have delivered the return on investment we’d hoped for. However, what sets Fortified apart is how they conduct their business,” says Wright. “We’ve dealt with vendors who disappear after implementing their service or solution, but that’s not the case with Fortified. We have ongoing communication with multiple team members who genuinely care about helping us safeguard our organization, patients, and community. It’s a true partnership.”