How Healthcare CISOs Can Triage IT Risk

Determining Cyber Risk: A New Frontier for Healthcare Information and Security Officers
09:31 AM
Businessman looking at analytics dashboard.

For years, IT decision making in healthcare has typically revolved around the question: “What is the benefit to end-users?

Whether it’s patients, physicians, nurses, or support staff – technology decisions and the accompanying ‘risk’ were based upon the impact on the user and how that translates to the patient.

In the face of onerous regulations mandating how data and information is handled, the user impact criteria is no longer enough to understand the true risk that technology adoption can introduce into the healthcare setting.

Healthcare CISOs need to understand how every employee, application and IT technology impacts their risk profile, especially as they invest in digital transformation strategies. This will require a redefinition of the way they asses risk and require new skillsets and tools to help make the right decisions.

The Changing Role of Today’s Healthcare CISOs

In healthcare, a tremendous burden is put on CISOs and CSOs to quantify cybersecurity risk in dollars and cents. Some CISOs are embracing quantified risk assessment, while others are just dipping their toes into the unfamiliar waters of risk mitigation that takes into account budgetary concerns. Still, many CISOs deem applying business savvy to security complex and push back against using a quantified approach.

Why Quantify Security Risk?

The healthcare industry has steadily embraced digital transformation through a preponderance of smart devices, IoT, telemedicine, and ePHI. In addition, threats or the unwelcome outcomes of threats — ransomware, insider threats, and third-party breaches — are getting more sophisticated and more difficult to prevent.

Healthcare CISOs must mitigate the dangers of daily threats and, at the same time, assess how to limit risk while increasing ROI through cyber investments.

The goal of most CISOs — in healthcare and beyond — is to lead digital transitions without exposing the organization to unacceptable risk. Until recently, CISOs have relied solely on control frameworks that use ordinal scoring (assigning values like 1-5 or red/yellow/green) to evaluate risk based on vulnerabilities, threats or gaps in compliance.

While these methods are valuable, they also inadvertently create a climate in which the business side of operations and cybersecurity groups end up speaking different risk evaluation languages.

The business articulates opportunity and other forms of risk in monetary terms; security articulates risk as high, medium or low. What results is a post-Tower of Babel scenario where two sides of the business fundamentally cannot explain how high, medium, and low risk translates into dollars and cents.

When cybersecurity can operate with input from a risk evaluation processes — for example, a framework such as factor analysis of information risk (FAIR) — organizations can compare potential loss due to a cybersecurity incident to potential opportunities, agree on an acceptable level of risk and then align security investments and resources accordingly.

In the past, risks related to digital transformation of the healthcare industry were often unknown and inherited, CISOs can adapt technologies in a safer, faster manner, and they can more confidently explain the ROI of the approaches they are taking. Leveraging an evaluation framework such as FAIR creates a universal language of risk assessment and mitigation.

Reframing Healthcare Security Risks Has Its Challenges

CISOs in all industries sometimes get caught in the trap of using jargon-centric evaluation systems when explaining which technology investments will mitigate today’s threats and their undesirable outcomes.

Vulnerabilities, endpoints, hackers and even the term “risk” itself are often applied in this manner. The problem is that hospitals and health organizations evaluate operations in financial terms and think of security risk in terms of the likelihood a cyber attack could impact them.

For example, while ransomware and third party breaches garner many of the healthcare-related attack headlines, these represent symptoms of the broader problem: cyberattacks make it into a network and exploit privileged credentials.

Regardless of the payload delivered or where the attacks stems from, attacks with privileged escalation are a greater risk. Once an attacker gains this level of inside access, they can completely own the IT infrastructure – accessing sensitive data, shutting down critical systems and causing mass disruption.

Physicians’ priority is patient care and saving lives, not IT security. This is why many healthcare providers have been slow to adopt multi-factor authentication – because doctors will find workarounds to make access to their resources easier and faster. Attackers know this and are increasingly taking advantage of  limited multi-factor deployments to steal credentials and launch their attacks.

Understanding this context and the associated risk with these types of attacks enables healthcare CISOs to target security spending in a way that increases their security posture without impacting workflow, physicians and the quality of care.

Few healthcare organizations have the tools to deliberate what the “acceptable” levels of risks they are willing to handle in both financial and data security terms. Not all risk can be mitigated, but knowing the threats and outcomes that could have the greatest impact on both the bottom line and day-to-day care of patients can help identify potential threats and where the greatest impact is to the organization.

Resource Download: The Risk Initiative: Building a Business Case with Mitigation ROI

About the Author: Bryan Murphy, Director, Consulting Services - Americas at CyberArk.

More regional news

CMS Administrator Seema Verma and National Coordinator for Health IT Dr. Donald Rucker

Is synthetic data the key to healthcare clinical and business intelligence?

The open source synthetic data source, Synthea. (Diagram courtesy of The MITRE Corporation.)