Three Components to Build a Strong Cybersecurity Strategy for Rural Hospitals
While the immediate focus for rural hospitals is getting in front of this pandemic, there’s another unseen beast in the form of cyber criminals that are likely making plans to execute cyberattacks on hospitals. Learn three areas that can prepare rural hospitals for the long-term to fight these cybercriminals and protect their networks and patients.
As the country is moving to take more precautions around the pandemic, our deepest thanks go out to all hospitals and their dedicated staff. Thank you for all that you are doing to help save lives. While your immediate focus is getting in front of this pandemic, there’s another unseen beast that is lurking in the background. That beast is in the form of cyber criminals that are right now making plans to execute another cyber attack on hospitals (of any size).
I understand that you need to address what’s right in front of you right now, but don’t forget to put plans in place to address what might be right in front of you very soon. I understand that resources are tight, that budgets for cybersecurity are small, and even finding cybersecurity talent can be an issue, especially for rural hospitals.
I am going to break down three areas of focus to establish a long-term cybersecurity plan that includes establishing a ROI to justify the right cybersecurity investments, creating a 3-year cybersecurity roadmap, and using metrics to measure success.
Establishing ROI to Justify the Right Cybersecurity Investments:
I am going to focus these areas on rural hospitals, but these strategies can really apply to a hospital of any size. I’ve found that hospitals have lots of questions when it comes to justifying spending money on cybersecurity, and that often leads to indecision.
Some examples of questions that I see rural hospitals struggle with are:
· How do I know for sure what security technology is going to protect us the best?
· How much cybersecurity is “enough”?
· Is more actually better when it comes to the number of cybersecurity solutions?
Other struggles rural hospitals face can be internal, like:
· Are all your organization decision makers on the same page regarding what cybersecurity to invest in?
· Technical understanding of cybersecurity issues can be different between departments
· Cybersecurity priorities may vary depending on roles
Typically, I find that most current cybersecurity priorities and investments are largely based on achieving a capability, such as the implementation of tools, to avoid an outcome,like security incidents.
Moving forward, I suggest to our clients that their cybersecurity priorities and investment need to be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective (CARE).
Here is the CARE model as defined by Gartner with questions that you can ask yourself in each of the CARE areas.
With those standards in mind, there are two questions that you can ask to determine your investment strategy:
1. What is the specific outcome we are trying to achieve?
2. Will this help me create a defensible capability?
Our experience shows that if you subscribe to these standards, you can begin to move your cybersecurity strategy to achieving a set of outcomes instead of achieving a capability.
Creating a 3-Year Cybersecurity Roadmap:
Our hospital clients often tell us that their cybersecurity strategies start with meeting regulations (HIPAA and NIST 800-53). I agree that you need to make sure that you're meeting these guidelines/regulations, but to truly thwart a cyberattack, you need to dig a little deeper.
The key is understanding your top areas of vulnerability and mapping out what it will take to close those gaps. You can then set levels of priorities and a plan over 3-years to get where you ultimately want to be.
We use a CybersecurityCapability Maturity Model to map out areas of focus for our clients to quickly see their problem areas. I will be doing a deeper dive of these topics for rural hospitals in an upcoming NRHA webinar on August 25th that will show you how we recommend mapping out a 3-year roadmap.
Develop Metrics to Track Success
The last area of focus that I want to share is around developing cybersecurity metrics. Once you’ve gone through understanding your gaps and setting your priorities, you are ready to track progress towards achievements that you’ve set out in your roadmap.
Here are 4 key steps to developing the basics of measuring your success.
Step I – Determine Your Audience
• Are the metrics for technical, non-technical people?
• What is the purpose of the metrics?
Step II – Determine Success
• What is the story you are trying to tell?
• What is the baseline or victory?
Step III – Determine Measurements
• What do you need to actually track?
• Start with less, you can always add more later
Step IV – Determine the Sources
• What data will you need?
• If you don’t have it, is that a weakness or gap?
Most organizations incorporate a layered cybersecurity defense. Unfortunately, the one question that defenders never ask themselves is "what is my last line of defense" or more frankly, "what if everything fails?"
Cyber criminals are getting more savvy at finding new ways to target healthcare. Healthcare needs to respond and innovate to get ahead of the cyber criminals. One way is to level up your typical Security Operations Center.