Why hospitals must focus on risk assessments, breach response to strengthen cybersecurity

Julia Hesse gets real about the inevitability of a breach and some simple steps for organizations to better prepare.
By Jessica Davis
12:41 PM
Share
cybersecurity risk

The last few years have shown cybersecurity is a major issue within the healthcare sector, which has fueled a shift toward better awareness among healthcare organizations -- including buy-in at the executive level -- to increase security program funding and better educate staff.

To Julia Hesse, a partner at law firm Choate Hall and Stewart, within the last year the enterprise risk has become clear. Beforehand, compliance officers and security teams were routinely attempting to convince the board that cybersecurity needed to be a top priority.

“Continued pressure, attention and leadership at this level will fuel the shift into better hygiene,” Hesse said.

So when organizations begin to build a more realistic security program, its leaders should focus on three key areas: vendor risk, risk assessment and breach response, said Hesse.

One of the key risk areas Hesse sees from both the legal and pure security side is vendor risk -- highlighted recently by the third-party breaches caused by misconfigured cloud storage buckets.

To Hesse, one way to mitigate this issue is to require vendors self-certify to a third-party risk assessment standard. From a pure workload perspective, it’s more efficient than an organization’s team performing the assessment.

“From a legal perspective, when you require the vendor to self-certify, they can make contractual obligations to meet those standards,” said Hesse. “It provides concrete, substantial hooks to get the vendor to meet those standards.”

HITRUST is one of the standards that Hesse said is used more commonly as part of the self-certification process.

Risk assessment within an organization is also crucial to improving security posture, she said. It’s a historical fact that one of the biggest risks to healthcare organizations are Franken systems: devices, standalone systems, different hospital units and the like.

“Trying to coordinate all of that is incredibly difficult,” she said. “Inventorying that and making sure all of these disparate systems are patched appropriately and maintained are the biggest challenge.”

Security assessment should be annual and performed internally or by a third-party to stratify systems and vendors, as well as a further review of high-risk systems, said Hesse.

“The challenges of aggregating all systems operation is quite a challenge,” Hesse said. “The risk with each becomes so overwhelming. We’ve seen it a challenge to maintain.”

But through a “risk stratification system,” there’s a general principle that looks at the amount of data being run through a system, along with the sensitivity of that data, how frequently it’s used and whether it’s a mission-critical system. The system would then be scored on a grid.

“Each system would end up coming out with a number,” said Hesse. “Systems with a lot of mission-critical data would need a higher level of review -- as compared with those less frequently used.”

Organizations should try to avoid the number of disparate systems and phase out legacy systems if clinically possible, Hesse explained.

And a pressing item: “The cybersecurity interoperability of systems as part of the purchasing process. How do we maintain them? And avoid perpetuating the problem?”

Lastly, as Hesse said she feels there’s a chance everyone is going to be hacked at some point, organizations must test emergency procedures in detail. Security leaders should drill staff -- down to the level of the phone tree that establishes who to call when a breach is detected on the system.

“Time matters at the beginning of an incident and losing time because you didn’t identify those needed things -- insurance, all of those steps -- will be problematic,” said Hesse. After a breach, the security professional should only need to focus on the threat itself -- and not be bogged down with administrative issues.

Hesse and GuidePoint Security Managing Director Sonia Arista will discuss these ideas during the session “Let’s get real: Creating a practical data security program,” at HIMSS18 in Las Vegas 8:30 a.m. March 8 in Marcello 4401. 

HIMSS18 Preview

An inside look at the innovation, education, technology, networking and key events at the HIMSS18 global conference in Las Vegas.

Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com