Health systems, like all enterprises these days, are not immune from cyberattack. In fact, they are at a higher risk because of a combination of the sensitivity of the systems and data they possess, the diversity of different systems deployed within the four walls of a hospital, and the fairly open access people have to physically interact with systems and access points.

Compounding the problem: Most hospitals and health systems face both budgetary and staffing shortages that limit their ability to defend against financially motivated threat actors. This makes for a complicated environment to secure.

Getting the funds to best secure a hospital or health system is not necessarily an easy task – just ask healthcare chief information security officers (CISOs) and chief information officers (CIOs). 

Yes, the horrible headlines of healthcare security breaches help security and IT leaders make their points to the C-suite and the board, but truly effective cybersecurity requires some serious cash, and that's not always easy to come by in today's healthcare environment.

To help IT and security leaders with this vexing challenge, Healthcare IT News sat down with Andrew Howard, CEO of Kudelski Security, to obtain advice on talking with the C-suite and the board about cybersecurity investments, dealing with security and IT staffs that are stretched thin, and more.

Q. Hospitals and health systems often are cautious in their approach to new technologies and trends. How do CIOs and CISOs get through to the C-suite and board to convince them to invest in new cybersecurity technologies and monitor new security trends?

A. Protecting an enterprise from cybersecurity threats is not easy and it takes resources – lots of them. Historically, CIOs and CISOs have been forced to use scare tactics around the security threats to get the resources they need. I have been a part of many presentations with clients trying to convince the boards of directors that the sky is really falling.

In today's landscape, boards tend to already understand the threat and the risks associated with inaction. All they have to do is turn on the news to understand the macro environments. They are also seeing peer hospitals and health systems come under attack virtually every day.

While the pitch to the board has morphed as boards have matured, security leaders still must have a convincing plan backed with data analysis. Security leaders are likely to be asked questions by the board, such as:

• How secure are we?
• How do we know we haven't already been breached?
• How does our security program compare to those of our peers?
• Are we investing enough?
• Are our investments paying off?

Well-thought-out answers to these questions will help drive the right level of investment from the board. Far too often, we see security leaders focusing on metrics and details that may initially appear interesting to the board but do not help tell the right story to justify investment.

If a security leader can show a standards-based approach, with defined and measurable outcomes that are aligned to the healthcare objectives, the right investment will likely follow. Simply asking for funds for technology is not the right approach.

Q. Healthcare provider organizations do not have a lot of money to spend on non-reimbursable operational expenditures, so the money associated with new cybersecurity investments is hard to come by. What steps and strategies can health IT and security leaders take to get the money they need?

A. Recent high-profile ransomware attacks on hospitals now make it much easier to link a lack of cybersecurity investment with tangible negative financial and patient services outcomes. Security leaders can reference many real-world examples where a ransomware-induced IT outage caused millions of dollars of revenue loss and, in at least a couple of cases, potential civil liability for a patient's death. Determining the likelihood and impact of these events is no longer a hypothetical exercise or one that can be dismissed as fear, uncertainty and doubt.

Furthermore, boards cannot rely on insuring against this risk, as many cyber insurance policies exclude ransomware payments. Furthermore, recent guidance from the U.S. Treasury Department highlights potential sanctions on companies and institutions for facilitating ransomware payments, even unknowingly, to terrorist organizations or U.S.-sanctioned countries.

Linking security spending to compliance outcomes is a typical step security leaders can and do take. Often, the compliance is currently addressed through human-powered, manual processes.

The challenge then is convincing boards to invest in technology to accomplish the same tasks, but perhaps with greater precision or efficiency. This requires security leaders to explain risks created in the current process (precision) or illustrate how the freed-up resources can be reassigned to other, more critical security tasks (efficiency).

Where possible, I recommend justifying new security tooling by linking it to other non-security business outcomes. Asset management and tracking is a great example of this.

From a security perspective, if a healthcare organization doesn't have a solution that discovers and tracks what assets are in its environment, it can't know holistically what to monitor, protect or patch. It can never truly be sure of the real security posture or attack surface. Similarly, this same lack of asset visibility has ramifications for accounting and operations.

Consider expensive network-connected medical devices. Is this device listed in a fixed asset schedule? Does the organization know its physical location for purposes of an annual audit or routine maintenance? Is the device being so underutilized that it should be liquidated? In this example, the same technology solution can enable both security and business teams to accomplish their objectives.

Q. Healthcare security and IT staff often are small and stretched thin. Getting more money, as we already have discussed, is one solution. What else can leaders do to help with this problem?

A. Without question, money is needed to drive a successful security program and mitigate the impact of inevitable breaches. The cost of the necessary security people, processes and technology is also increasing.

Organizations today are spending upwards of 15% of their IT budget on information security. However, while an organization cannot build a world-class security program without significant financial resources, they can build a good enough security program with the right focus and limited investment.

Security leaders should focus on cybersecurity hygiene before and above all other tasks. Building mature and repeatable processes around identity management, patch management and threat detection will go a long way to deter threats.

I see many clients over-investing in technology and under-investing in the basics. I have visited many data centers with racks and racks of security appliances turned off because the organization could not figure out how to operationalize the technology. While technologies like endpoint detection and response are typically worth the investment regardless of the security program's maturity, most other technologies will fall flat without the right processes around them.

In my role, I regularly ask our incident responders what advice they would give a new security leader to best defend their network. While the advice has changed alongside the threat landscape, the fundamental advice has not.

Healthcare organizations should buy and ubiquitously deploy a strong identity-management solution that supports multi-factor authentication, segments their network to mitigate expansion opportunities post-breach (ideally with a zero-trust approach) and stays on top of patching key systems. One piece of specific advice that has not changed in years: If nothing else, disable macros in all Microsoft Office productivity applications. Most ransomware attacks we see today start with a macro.

Twitter: @SiwickiHealthIT
Email the writer: bsiwicki@himss.org
Healthcare IT News is a HIMSS Media publication.