How hospitals can shore up cybersecurity on a 'skinny' budget
Hospital infosec pros are battling a rise in increasingly sophisticated hacker and cyber attacks while simultaneously struggling amid a security staffing crisis. And if that scenario wasn’t hard enough, many are also operating on a shoestring budget.
But there are some creative approaches to meeting security needs without the luxury of a bigger budget.
At a bare minimum all hospitals need someone able to manage vendors and help select providers. Not only that, this employee must be able to sit on top of that relationship, explained Kris Lovejoy, CEO of security firm BluVector.
“The reality is that if you need someone, the best way to do that is to get a vendor who is able to recommend the needed technology and other security needs,” said Lovejoy. Providers should look toward vendors with a healthcare-focus that are able to provide the necessary security evaluations.
According to Diana Kelley, global executive security advisor for IBM Security, this vendor has a strategy and their job is to figure out what the hospital needs that can both save time and effort.
The vendor will look for the crown jewels within the company, network, EHR and the like. Kelley said they’ll determine the location, how things are connected and protected, compliance issues and security issues within that vein.
The next step, said Kelley, is to determine how to best protect that data and what the organization can do to increase security. For example, access control settings, admin needs and backups.
They’ll also determine resources and how the organization will work through those needs, either through a virtual CISO, part time security employee or a local organization that does outsourcing once a week or month. Kelley explained those needs are determined by the size of an organization.
“They may need to hire a full time vendor. But they also need to have a partner on site,” said Kelley. “An outsourced vendor can take a lot off the plate in a big organization, more completely than collaborating with part time staff. But you still need someone in your company who can talk to them.”
“At the end of the day, IT can run as a vendor-management function,” said Lovejoy. “But you need someone on site to manage outcomes and policies.”
When hiring for the position, the hospital should evaluate its current technology and the role it needs to fill.
“What makes a good IT security specialist? A passion to learn and a desire to guard that data,” Kelley said. “In healthcare specifically, there are certain things the systems need to be able to run properly: the EHR needs certain things to run and medical devices need to be certified, among others. Healthcare needs a security person who understands these unique needs.”
Using these recommendations, a hospital can craft policies and training to help its staff understand the right way to do things that can limit the risk, explained Lovejoy.
All hospitals need to assign a group of people on site who are the security glue that holds the organization together. Lovejoy said these employees -- although not necessarily fully designated security staff -- can manage and implement security needs, while measuring outcomes.
Such employees can determine, for example, how long it takes to find a threat and shut it down. Lovejoy explained that if a hospital is going to staff its own security from within, there needs to be a blend:
“You want to find a security director or manager that understands that process, and very quickly hire the people to execute these processes,” she said. “Or the organization needs to hire vendors to execute these plans. The most effective person can put it all together.”
To Kelley, it’s all part of the ‘new collar’ positions coming into the healthcare position. These are employees within the organization tasked with security, but with staunch healthcare backgrounds.
“It’s looking at security needs with a different approach,” Kelley said. “It’s about getting creative.”