Leadership, culture key to surviving a cybersecurity crisis
For a healthcare organization, a security incident that disrupts routine services is on par with a natural disaster. To mitigate this, most organizations put into place response plans to ensure patient care goes on uninterrupted in the event of a crisis.
But one of the most crucial elements to making it through a security event is having both the leadership and culture in place to keep the organization afloat. To retired Navy Commander Kirk Lippold, leadership, centered around integrity, needs to invest in staff so those qualities become second nature.
Part of that training includes having a vision; making sure staff understand the concept of personal accountability and responsibility; trusting and investing in your people; and professional confidence, he explained. And once staff understands these goals, they can take ownership of their choices.
“These are things that are going to make us better as an organization,” said Lippold. “A lot of times people will say they’re empowering someone…but when you trust and invest in your people, you’re creating a culture of integrity.”
“It’s you as a leader telling them what the job is, and the standard that you want to do that job,” he continued. “Giving them the tools, training and time to do that job right.”
For the healthcare sector, dominated by insider threats, that level of responsibility is crucial to protecting against security threats. Lippold explained that it’s an organization’s leadership that should set the standard for what’s expected of staff and immerse them in a culture of integrity.
Leadership should outline expectations and hold staff accountable. Lippold explained that it includes instilling in staff the mission that they’re responsible for the decisions they make.
“If you create that culture of integrity, and if you see people not following policies or procedures, or detect a vulnerability, they should have the confidence to tell you,” Lippold said. “Give them the opportunity to take initiative and innovate -- they’re going to do the right thing.”
Lippold added that will include an open door policy where staff can report activities within the organization that may concern the staff. But the focus shouldn’t be on punishment, unless there’s malicious activity. Security leaders need to provide verbal council and try to better understand the reason behind the behavior in question.
And in a crisis, those same rules apply: “When it comes to cyber, everyone is a security manager,” said Lippold. Everyone needs to be on the lookout to make sure there’s no one taking shortcuts or bending the rules.
Healthcare Security Forum
The forum in San Francisco to focus on business-critical information healthcare security pros need June 11-12.