Healthcare Cybersecurity Priorities in 2020

The Ghost of Cybersecurity Future

What to do? The time has come for a strategic transition in our approach to cybersecurity. Sure, the fortress approach to security with associated protective controls is table-stakes. But it’s time to shift our thinking from keeping bad-actors out, to finding them quickly if they get inside the network. You want to quickly end their visit, and thoroughly remediate any damage done. 

As my colleague Mike Simon likes to say, “You have to see the criminal to catch the criminal,” we absolutely have a path to a better 2020. Here are seven practical ideas about where to focus, and how to improve:

1. Third-Party Partners: Everyone will sign a BAA (even if they don’t really understand what it means) just to get your business. So, ask questions. Ask to see any cyber-certifications they might have; demand their latest audits and remediation plans; ask about how their third-parties will access their system and your data. If they don’t want to answer, take that as a sign. And because there are so many of these partners, consider outside help with this process. It’s tough to stay on top of this work, and while it’s critical, it can distract you from daily security business.
2. Two-Factor Identification: It’s one of simplest things you can do, and there’s some great tools out there. Politically, I know it can be difficult, but somewhere, even if it’s just a few applications, or an external access requirement. When done well, it’s like punching ransomware in the mouth.
3. Personal stuff on personal devices: Again, politically challenging to do this, but staff can sometimes have sloppy personal-security habits. It’s a question of risk. Don’t make their problem, your problem.
4. Leverage Supply-Chain: Lots of examples here, from non-IT-departments buying software/hardware/cloud services, to acquisition of Internet-of-Things (IoT) equipment.  Don’t let existing problems get worse – for example, you’re likely already doing compensating controls for IoT that can’t be patched – don’t keep adding problematic gear to the inventory. Raise the alarm, build new policy, and have a game-plan in hand.
5. IoT: Speaking of IoT, know what’s on your network; patch everything you can; segment and monitor all of it. There are some great tools (as associated service) for asset discovery and management available today, so put this project on your list.
6. Speak in business and clinical terms: not IT and security terms. Non-IT people, especially those with responsibility for approving cyber-projects, are also the most likely to “glaze over” when we start tech-talking. Figure out what “channel” they’re on. Meet them where they are when it comes to technical discussions. Work on your story – build business plans – don’t wing it!
7. Finally, most important – You will be breached – FAST detection/removal is critical: Consider managed services as an extension to your current team to mitigate the impact of these foreseeable events as a risk reduction method. Building an in-house Security Operations Center is an expensive proposition, and 24/7 coverage is mostly unrealistic for most healthcare organizations. Get help! Managed Detection and Response (MDR) is usually about the cost of a single security FTE, and can provide a fully functional, 24/7 SOC with US-based qualified analysts and threat-hunters.

This is an excerpt of an article that originally appeared at CI Security.