Three Components to Build a Strong Cybersecurity Strategy for Rural Hospitals
While the immediate focus for rural hospitals is getting in front of this pandemic, there’s another unseen beast in the form of cyber criminals that are likely making plans to execute cyberattacks on hospitals. Learn three ways rural hospitals can prepare for the long-term to fight these cybercriminals.
As the country is moving to take more precautions around the pandemic, our deepest thanks go out to all hospitals and their dedicated staff. Thank you for all that you are doing to help save lives. While your immediate focus is getting in front of this pandemic, there’s another unseen beast that is lurking in the background. That beast is in the form of cyber criminals that are right now making plans to execute another cyber attack on hospitals (of any size).
I understand that you need to address what’s right in front of you right now, but don’t forget to put plans in place to address what might be right in front of you very soon. I understand that resources are tight, that budgets for cybersecurity are small, and even finding cybersecurity talent can be an issue, especially for rural hospitals.
I am going to break down three areas of focus to establish a long-term cybersecurity plan that includes establishing a ROI to justify the right cybersecurity investments, creating a 3-year cybersecurity roadmap, and using metrics to measure success.
Establishing ROI to Justify the Right Cybersecurity Investments:
I am going to focus these areas on rural hospitals, but these strategies can really apply to a hospital of any size. I’ve found that hospitals have lots of questions when it comes to justifying spending money on cybersecurity, and that often leads to indecision.
Some examples of questions that I see rural hospitals struggle with are:
· How do I know for sure what security technology is going to protect us the best?
· How much cybersecurity is “enough”?
· Is more actually better when it comes to the number of cybersecurity solutions?
Other struggles rural hospitals face can be internal, like:
· Are all your organization decision makers on the same page regarding what cybersecurity to invest in?
· Technical understanding of cybersecurity issues can be different between departments
· Cybersecurity priorities may vary depending on roles
Typically, I find that most current cybersecurity priorities and investments are largely based on achieving a capability, such as the implementation of tools, to avoid an outcome,like security incidents.
Moving forward, I suggest to our clients that their cybersecurity priorities and investment need to be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective (CARE).
Here is the CARE model as defined by Gartner with questions that you can ask yourself in each of the CARE areas.
With those standards in mind, there are two questions that you can ask to determine your investment strategy:
1. What is the specific outcome we are trying to achieve?
2. Will this help me create a defensible capability?
Our experience shows that if you subscribe to these standards, you can begin to move your cybersecurity strategy to achieving a set of outcomes instead of achieving a capability.
Creating a 3-Year Cybersecurity Roadmap:
Our hospital clients often tell us that their cybersecurity strategies start with meeting regulations (HIPAA and NIST 800-53). I agree that you need to make sure that you're meeting these guidelines/regulations, but to truly thwart a cyberattack, you need to dig a little deeper.
The key is understanding your top areas of vulnerability and mapping out what it will take to close those gaps. You can then set levels of priorities and a plan over 3-years to get where you ultimately want to be.
We use a CybersecurityCapability Maturity Model to map out areas of focus for our clients to quickly see their problem areas. I will be doing a deeper dive of these topics for rural hospitals in an upcoming NRHA webinar on August 25th that will show you how we recommend mapping out a 3-year roadmap.
Develop Metrics to Track Success
The last area of focus that I want to share is around developing cybersecurity metrics. Once you’ve gone through understanding your gaps and setting your priorities, you are ready to track progress towards achievements that you’ve set out in your roadmap.
Here are 4 key steps to developing the basics of measuring your success.
Step I – Determine Your Audience
• Are the metrics for technical, non-technical people?
• What is the purpose of the metrics?
Step II – Determine Success
• What is the story you are trying to tell?
• What is the baseline or victory?
Step III – Determine Measurements
• What do you need to actually track?
• Start with less, you can always add more later
Step IV – Determine the Sources
• What data will you need?
• If you don’t have it, is that a weakness or gap?
October was National Cybersecurity Awareness Month which is meant to put a spotlight and focus on cybersecurity education and taking action to protect yourself and your organization from a cyberattack. Here’s a roundup of some of the top things we shared in October.
By now most healthcare organizations perform cybersecurity awareness training and their staff are on the lookout for phishing emails. Cyber attackers are getting more savvy, however and are coming up with new phishing techniques that are harder to spot. Below are some examples of these new tactics and how to spot them.
Healthcare organizations that are victims of a cyberattack are reported daily. Reviewing OCR findings to identify actions you can take to protect your organization from similar attacks is a good best practice. Here is a review of the OSU breach to use as an example.