How the Best CISOs Drive Operational Resilience
The last three years have been fueled by turbulent change — especially when it comes to an organization’s tech structure. The unanticipated global pandemic drastically accelerated digital transformation (DX) and a borderless workforce, forcing businesses to fast-track projects they had previously scheduled to take years. These years-long projects began to be completed in the matter of months, or even weeks, and propelled the industry forward momentously, but also highlighted that cybersecurity must be interwoven in the fabric of those transformations to build operational resilience.
During this time, cybersecurity transformed into a competitive advantage for organizations, not just a cost center — leading many boards of directors to start paying closer attention to security investments and metrics, and prioritizing results. The unforeseen circumstances of the pandemic, accelerated DX, and flexible work — coupled with geo-political conflict in the Ukraine — prove that CISOs not only need to protect against the increasingly sophisticated attacks of cyber-criminals, but also need to match the speed of innovation with the right security measures. During this transformational period, I have observed that the most agile companies keep cyber resilience top of mind, and the best CISOs in our industry also act as Chief Resilience Officers, putting cyber investments and protections to work to defend their business operations.
Recent events have caused cyberspace to become increasingly hostile, and perhaps no other industry was affected more harshly than healthcare. For healthcare delivery organizations (HDOs), there are no higher stakes when it comes to delivering patient care safely and securely. That’s because ransomware attacks on hospitals are not just white collar crimes with economic effects — these incidents are classified as threat-to-life crimes, as they can hinder HDOs ability to provide patient care, and can even result in the loss of human life.
According to a recent study by Cynerio (PDF), 56% of hospital security leaders say their organization experienced one or more cyberattacks in the past 24 months involving Internet of Medical Things (IoMT) devices. Forty-five percent report adverse impacts on patient care from these attacks, and 53% percent of those (24% in total) report adverse impacts resulting in increased mortality rates. As we now know, cybersecurity in healthcare is patient safety, and goes beyond just data breaches.
Now, how do the best CISOs drive operational resilience in healthcare delivery organizations?
- Identify and Apply: Implement more stringent security controls to medical devices and the components needed to operate those systems. The reality is that in many healthcare settings, IT, IoT and IoMT devices have converged on one network and lack differentiating controls. By identifying assets in the healthcare environment and classifying them, and by applying virtual segmentation and other security controls, CISOs can build resiliency into their highly critical operations.
- Prioritize and Address Gaps: Systematically prioritizing and addressing gaps is key in implementing good governance and effective risk mitigation. The best CISOs establish a “single source of truth” for their environment to bridge operational disconnects and divides. This single system of record can provide visibility into clinical networks and allow stakeholders to make effective decisions that will improve their organization’s operations and care.
- Eliminate Silos: When organizational silos are created, they cause individual teams to lose sight of common goals, which can lead to massive inefficiencies and risks. In the case of HDOs, these silos can impact the safety of operations and care. For example, if there are blind spots in an organization’s cyber-defense strategy, an IT team may unknowingly block communications to a critical medical device or bring down the device to apply patches at the wrong time resulting in dire consequences. To combat this, CISOs should implement a “protect to enable” strategy that fuses IT/security, BioMed, and business outcomes.
- Adopt a Holistic Approach: It is important for CISOs to think of hospital operations holistically, and to understand that although medical devices are critical, so are the other building management systems (BMS) in the environment. From security cameras and physical access controls to HVAC systems, lighting, elevators, and fire alarm systems, BMS are critical cyber-physical systems that are trusted by millions daily to keep hospitals running. When these systems fail, delivering care becomes more difficult, and patient outcomes can suffer. By taking a holistic approach, HDOs can enhance visibility across their ecosystem and ensure more effective and efficient vulnerability management.
In conjunction with the above strategies implemented by CISOs, several policies are also shaping how organizations approach security for their medical devices. A prime example is the Protect Access to Confidential Healthcare (PATCH) Act, which was included in the recent FY23 appropriations bill and seeks to implement baseline cybersecurity requirements for device manufacturers applying for FDA approval. Additionally, the bill would require plans to monitor, identify, and address post-market vulnerabilities, and would establish a Software Bill of Materials (SBOMs) for devices — all of which would help ensure that HDOs infrastructure remains safe and secure.
In recent years, cyberattacks have exposed a myriad of vulnerabilities in our healthcare infrastructure, and will continue to do so as new and innovative medical technologies are developed. By implementing the above strategies, and with the development of bipartisan legislation like the PATCH Act, CISOs will be better equipped to drive operational resilience and keep patients safe.