Behind the complex environment of healthcare cybersecurity are numerous leaders and department administrators at service and payer organizations. And they have questions.
They need the information to execute – to provide IT, regulators, physicians and patients with the right requirements, procedures and assurances to protect patient safety, patient data individuals and their organizations.
The rapidly evolving threat landscape is driving up operational costs, and with tight government oversight – as well as new data sharing requirements – IT departments are forced to improve their security posture. their organization’s cybersecurity and stay compliant.
According to Steve Winterfeld, CISO consultant at Akamai, each healthcare stakeholder will have their own reasons to ask about the conditions, challenges, and solutions behind their organization’s cybersecurity state.
Winterfeld will join other cybersecurity leaders for the Security Strategy Stakeholder Alignment, a panel discussion at the HIMSS Healthcare Cybersecurity Forum, taking place on June 5. December in Boston.
This session will cover how to engage leadership and stakeholders on security tactics that address broader business goals while balancing patient safety and accessibility. interoperability.
Remember the business context
Healthcare is unique in that so many of its employees have access to the very data that IT has to protect.
Winterfeld described aligning stakeholders as a balance between cybersecurity controls and the need for patient interaction like translating what you know into their language.
“When I talk to the CFO, it’s money,” he said. “When I talk to the COO, it’s performance. When I talk to the CEO, it’s the brand.”
In general, C-suite board members and executives want to know if your organization has the right risk posture based on your board’s risk appetite.
“The board wants to know what other people are doing.”
The key to addressing leadership concerns, says Winterfeld, is to learn from peers to understand the perils of threats and where a particular organization accepts those risks.
“If I were in the pharmaceutical industry, I would protect intellectual property more,” he explains. “If it’s a provider’s care, they’re keeping it safe. If it’s the person paying the insurance, it’s preventing fraud and protecting personal information.”
Then there are medical devices, with the security of the internet of medical things being a major concern for many providers.
“I was worried about how that would get into my environment,” says Winterfeld. “And so, at the board level, how do I sort and stack all that criticism?”
Health system boards are becoming more sophisticated, attracting more qualified members. Winterfeld warns: While they may want a nuanced discussion around a risky investment, they don’t need a technical consultant.
“That’s what many of us tend to do is I spend my day focusing on technical controls. But when I go back and talk to the board, I need to start talking about it. business risk, not cybersecurity risk.”
Determine the patient’s journey
Winterfeld says that to translate cybersecurity information, he wants to bring stakeholders on the data journey — either patients or customers and employees.
“As our customers continue their data journey, we need to protect their access to the resources we need to protect,” he said.
He explains to stakeholders things like how to secure horizontal movements, such as when a customer enters an interface and then navigates to a database.
But with employee data journeys, it’s more complicated. Making sure they’re securely logged in is one thing, but theft of employee credentials is the main threat.
Leaders should understand how security controls can protect employee data journeys, as well as what happens when employees access the internet.
“You know, how do I protect my access from that common phishing email, someone emailing me?”
Winterfeld says corporate email compromise is where criminals make the most money, noting that numerous studies show employees can put an organization at risk when it comes to personal gain.
He uses himself as an example of a potential victim of a cyber attack.
“Hey, Steve, we see you really like disc golf or discus golf,” he ventured. “Come to this site, we can give you a new frisbee to interact with our marketing campaign. Well, I’ll click on that page because I’m putting the company at risk. for a discus throw on any given day.”
The HIMSS 2022 Healthcare Cybersecurity Forum takes place on December 5 and 6 at the Renaissance Boston Waterfront Hotel. register here.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
