Myth busted: Contract security companies are definitely worth the money
Your cybersecurity staff is certainly a major contributor to how safe your healthcare system is. But it isn’t the staff you have that’s causing issues, it’s the ones you haven’t hired yet.
In its May report, the U.S Department of Health and Human Services’ Health Care Industry Cybersecurity Task Force highlighted the issue: too many vacant security positions and not enough cybersecurity talent to fill the voids. In fact, three out of four healthcare organizations are operating without a security person.
[See them all: 10 stubborn cybersecurity myths, busted]
There wasn’t a consensus for the right number of qualified security professionals necessary to ensure an organization is protected, according to Atlantic Council Director of the Cyber Statecraft Initiative and HHS Cybersecurity Task Force member Josh Corman.
Healthcare organizations aren’t opting out of hiring security professionals because they don’t see the worth, said Corman. “It’s because it’s not affordable. Many providers are running at break even before any additional costs. It’s created healthcare deserts.”
Instead of filling talent, some organizations choose to leave those positions vacant, “which was surprising because for HIPAA, you’re technically required to have a security officer,” said Corman. Other providers pool resources with neighboring organizations to share a CISO.
Others turn to security contractors, but with many providers also facing budgetary constraints, it’s not always feasible, said Corman. And many don’t find value in spending thousands of dollars on the service.
Making matters worse are vendors bombarding healthcare organizations with the “best services” guaranteed to bolster security. So much so, that often valuable and necessary vendors are lumped together with those promoting a silver bullet.
But contract security companies are often unfairly lumped into that group, and as a result, most executives fail to see the value of the expense.
CEO and President of Identity Theft Resource Center Eva Velasquez said these companies provide a vital service that effectively runs in the background. From general IT and keeping a system secure and properly running, contract security can mitigate risk and help an organization protect its reputation and image.
“Good security carries an expense: An ounce of prevention is worth a pound of cure,” Velasquez said. “It certainly isn’t going to be less expensive with a large-scale breach -- especially the cost of your reputation, if your organization is breached.”
“There’s no panacea going to protect you all of the time, but if you have a data compromise and the right things in place, it can help maintain the reputational image,” said Velasquez. “You can let your patients and others know that you did your best, but were still attacked.”
For CynergisTek CEO Mac McMillan, a security contractor, the real value of a contract security person is that they provide the benefit of a balance between the function of the internal IT team and a custom defense built by the vendor.
While testing, risk analysis and monitoring should be done internally, McMillan said the issue lies in that no matter how good the IT team, they’re only as good as what they see in their hospital. A hospital’s security team can’t leverage an outside view of threats and are often limited in their experience and perspective.
That’s where the contract security person comes into play: These larger companies use custom algorithms to weed out the noise to see risks and what’s happening to thousands of other networks around the globe. McMillan explained that in monitoring incoming threats, they can warn organizations beforehand.
“It’s like security for your house. You may have cameras set-up around the perimeter, but they’re not good until the bad guy is at your house,” said McMillan. “But if someone is monitoring the whole neighborhood, they can see all of the threats facing all of the houses in the neighborhood.”
“It’s the difference between monitoring the house and monitoring all of the threats,” he added.
There’s no added value in comparing data against a single organization, said McMillan. “If nothing else, the contractor provides a third-person view of what an organization is doing based on performance and other assessments.”
And for rural, small or nonprofit hospitals, ICIT Senior Fellow James Scott said these services can fill in security gaps. Even for larger medical practices that lack the time or talent to focus on internal threat hunting, these organizations can benefit from a full-service security contractor.