As the country is moving to take more precautions around the pandemic, our deepest thanks go out to all hospitals and their dedicated staff. Thank you for all that you are doing to help save lives. While your immediate focus is getting in front of this pandemic, there’s another unseen beast that is lurking in the background. That beast is in the form of cyber criminals that are right now making plans to execute another cyber attack on hospitals (of any size).
I understand that you need to address what’s right in front of you right now, but don’t forget to put plans in place to address what might be right in front of you very soon. I understand that resources are tight, that budgets for cybersecurity are small, and even finding cybersecurity talent can be an issue, especially for rural hospitals.
I am going to break down three areas of focus to establish a long-term cybersecurity plan that includes establishing a ROI to justify the right cybersecurity investments, creating a 3-year cybersecurity roadmap, and using metrics to measure success.
I am going to focus these areas on rural hospitals, but these strategies can really apply to a hospital of any size. I’ve found that hospitals have lots of questions when it comes to justifying spending money on cybersecurity, and that often leads to indecision.
· How do I know for sure what security technology is going to protect us the best?
· How much cybersecurity is “enough”?
· Is more actually better when it comes to the number of cybersecurity solutions?
· Are all your organization decision makers on the same page regarding what cybersecurity to invest in?
· Technical understanding of cybersecurity issues can be different between departments
· Cybersecurity priorities may vary depending on roles
Typically, I find that most current cybersecurity priorities and investments are largely based on achieving a capability, such as the implementation of tools, to avoid an outcome,like security incidents.
Moving forward, I suggest to our clients that their cybersecurity priorities and investment need to be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective (CARE).
Here is the CARE model as defined by Gartner with questions that you can ask yourself in each of the CARE areas.
With those standards in mind, there are two questions that you can ask to determine your investment strategy:
1. What is the specific outcome we are trying to achieve?
2. Will this help me create a defensible capability?
Our experience shows that if you subscribe to these standards, you can begin to move your cybersecurity strategy to achieving a set of outcomes instead of achieving a capability.
Our hospital clients often tell us that their cybersecurity strategies start with meeting regulations (HIPAA and NIST 800-53). I agree that you need to make sure that you're meeting these guidelines/regulations, but to truly thwart a cyberattack, you need to dig a little deeper.
The key is understanding your top areas of vulnerability and mapping out what it will take to close those gaps. You can then set levels of priorities and a plan over 3-years to get where you ultimately want to be.
We use a CybersecurityCapability Maturity Model to map out areas of focus for our clients to quickly see their problem areas. I will be doing a deeper dive of these topics for rural hospitals in an upcoming NRHA webinar on August 25th that will show you how we recommend mapping out a 3-year roadmap.
The last area of focus that I want to share is around developing cybersecurity metrics. Once you’ve gone through understanding your gaps and setting your priorities, you are ready to track progress towards achievements that you’ve set out in your roadmap.
Here are 4 key steps to developing the basics of measuring your success.
Step I – Determine Your Audience
• Are the metrics for technical, non-technical people?
• What is the purpose of the metrics?
Step II – Determine Success
• What is the story you are trying to tell?
• What is the baseline or victory?
Step III – Determine Measurements
• What do you need to actually track?
• Start with less, you can always add more later
Step IV – Determine the Sources
• What data will you need?
• If you don’t have it, is that a weakness or gap?
There are a lot more details in each of these three areas that I will be diving into in the upcoming NRHA Webinar on August 25 that 3:00 p.m. ET – Cybersecurity Strategy & Planning for Rural Hospital Senior Leaders”. Register to learn how to determine ROI for your cybersecurity program, set your 3-year cybersecurity roadmap, and put metrics in place to track success.