Successful Information Security is About More Than Just Technology
Impact Advisors own Marc Johnson was a CISO panelist at a recent FutureCon event in Kansas City. The three key themes that emerged from the discussion mirror the information security challenges virtually every health delivery organization is facing right now:
1. The importance of effectively responding and recovering from a breach.
The reality is that every health delivery organization will be breached at some point. It will not always be the work of a malicious external actor (as is the case with ransomware attacks); sometimes the breach may just be the result of an uninformed employee who does not realize their actions put the organization at risk. Regardless of the cause of the breach, hospitals and health systems need to have an organized and well-defined strategy to not only detect when information is inappropriately accessed, but also to properly respond and then effectively recover from the incident.
Success hinges on thoughtful and deliberate attention to three closely linked concepts: 1) incident response, 2) business continuity, and 3) disaster recovery.
Incident Response – the art of responding to an incident (security, resiliency, etc.) which may result in an outage.
Business Continuity – the art of recovering business function during an outage (power, natural disaster, etc.) without technology.
Disaster Recovery – the art of recovering technology from an outage.
Although many health delivery organizations today have a good handle on either disaster recovery, incident response, or business continuity individually, few are proficient at all three – and integration is rare. Business continuity planning in particular remains a critical area of improvement. Part of the challenge is being able to sufficiently engage business owners, department heads, and clinicians so they understand their role in the business continuity plan and the steps they need to follow in the event of a cyberattack or breach. This may include manual steps in order to isolate the bad actor or malicious code, such as disconnecting an infected medical device or turning off an infected mobile device.
The reality is effective business continuity planning goes far beyond just technology – and it needs to be closely linked to disaster recovery and incident response. For example, the business continuity plan informs disaster recovery about specific departments to prioritize – and it also informs incident response as to which departments need to be protected differently (and how). Without a robust business continuity plan – and stakeholders across the enterprise who are fully engaged in that plan – it will be virtually impossible for a hospital or health system to effectively respond and recover when the inevitable breach or cyberattack occurs.
2. The impact of artificial intelligence (AI) on the day-to-day responsibilities of information security professionals.
The potential impact of AI is top of mind for leaders in virtually every industry right now – and health delivery is no exception. Given AI’s ability to dramatically increase automation, coupled with the rapid evolution and proliferation of AI products, information security professionals in healthcare – just like back-office staff, clinicians, and others – are understandably concerned about how the technology will impact their jobs and day-today responsibilities. It is important to remember that automation is not the same as autonomy. Even as AI continues to evolve, human intermediaries still need to be heavily involved in the information security cycle of protecting, identifying, detecting, responding, and recovering. People still must inform and monitor the technology for automation to be successful.
Most of the hype right now is centered around generative AI, but that ultimately represents only one type of artificial intelligence – and generative AI products (and the health delivery use cases for those products) are still very much in their infancy. Although hospital and health system CISOs need to carefully monitor the rapid evolution of generative AI solutions (and the information security risks that stem from them, such as the potential for more convincing phishing attacks), it is also important not to lose sight of what is required to successfully enable automation from the more mature – and proven – AI products on the market. For example, over the last few years, machine learning (which is a more mature application of AI) has become a mainstay in the health delivery industry for endpoint protection, automatically detecting – and then quarantining – any files deemed to be “malicious.” However, machine learning technology still must be trained in a manner that accounts for the unique way the organization conducts business, and implemented with the right systems and controls in place to ensure it is operating safely. Without a robust program (e.g., policies, procedures, plans, playbooks / runbooks, etc.) to inform the endpoint protection technology, it is possible that common everyday elements will be incorrectly quarantined – or conversely, that threat vectors of specific concern to the organization will be left open.
3. More effective communication from the CISO.
There is a significant opportunity in many health delivery organizations for the CISO to more effectively communicate with various types of internal stakeholders. Although cybersecurity risks are higher than ever in the current environment, many board members, business owners, and clinicians still incorrectly perceive information security to be solely a technology issue and not an operational issue.
CISOs should help board members, business owners, and clinicians understand – in straightforward terms – what is at stake for them. It isn’t enough to cite already well-known statistics about the increasingly sophisticated cyberattacks the industry is facing or what technology will be put in place. Instead, CISOs should be specific, focusing on the tangible impact for each individual stakeholder they are communicating with and helping that person understand the business implications for them; the “why” from their perspective. For example, rather than telling a department head the specifics of the technology work that needs to be done to the oncology system, explaining “we need to do this proactive work now because if we don’t, the oncology system could be offline for 12-18 hours if we have to respond to – and recover from – a ransomware attack.”
The Bottom Line
In the current environment, experiencing a breach or falling victim to a cyberattack is inevitable. Internal hospital and health system stakeholders outside of IT need to understand that information security is not just a technology issue. Health delivery organizations not only need to proactively take protective measures and be able to detect when a breach occurs, they also need to have the right plans, policies, and procedures in place – and the right level of stakeholder engagement in those plans, policies, and procedures – to effectively respond and then recover.
As a Best in KLAS® winner for Security & Privacy Consulting Services for the past three years, Impact Advisors can help your organization identify risks, develop remediation plans, benchmark security posture, and track maturity improvement.