Behind the complicated climate of healthcare cybersecurity lay a score of leaders and department administrators at payer and provider organizations. And they have questions.
They need information in order to execute – to provide IT departments, regulators, doctors and patients with the appropriate requirements, processes and assurances that protect patient safety, patient data and their organizations.
A fast-evolving threat landscape is increasing operational costs and with heightened government scrutiny – as well as new data sharing requirements – IT departments are pressed to improve their organization’s cybersecurity postures and stay in compliance.
Each healthcare stakeholder will have their own reasons for asking about the conditions, challenges and resolutions behind the cybersecurity status of their organization, according to Steve Winterfeld, advisory CISO at Akamai.
Winterfeld will join other cybersecurity leaders for Aligning Stakeholders on Security Strategies, a panel discussion at the HIMSS Healthcare Cybersecurity Forum, which takes place December 5-6 in Boston.
The session will address how to engage leadership and stakeholders on security tactics that address broader business goals while balancing patient safety and interoperability.
Remembering the business context
Healthcare is unique in that so many of its employees must access the very data the IT department must protect.
Winterfeld described aligning stakeholders on the balance of cybersecurity controls with patients’ needs for interoperability as translating what you know into their language.
“When I’m talking to the CFO, it’s money,” he said. “When I’m talking to the COO, it’s operational effectiveness. When I’m talking to the CEO, it’s brand.”
Overall, board members and C-suite executives want to know if your organization has the right risk posture based on the board’s risk appetite.
“Boards want to know what others are doing.”
A key to addressing leadership concerns is first learning from peers to understand the risk of the threats and where a specific organization takes those risks, Winterfeld said.
“If I’m in pharma, I’m protecting intellectual property more,” he explained. “If it’s provider care, they are protecting safety. If the audience is payer insurance, then it’s preventing fraud and protecting personal information.”
Then there are medical devices, with the security of the internet of medical things is a big concern for many providers.
“I’m worried about how that’s coming into my environment,” said Winterfeld. “And so at the board level, how do I rack and stack all that diatribe?”
Health system boards are becoming more sophisticated bringing on members with higher levels of expertise. While they may want to have a nuanced discussion around a threat investment, they do not need a technical consultant, Winterfeld cautioned.
“That’s what a lot of us tend to do is I spend all day focused on the technical controls. But when I turn around and talk to the board, I need to then start talking about business risk, not cybersecurity risk.”
Defining patient journeys
Winterfeld said that in order to translate cybersecurity information, he likes to take stakeholders on data journeys – both patients or customers and employees.
“As our customers go on a data journey, we need to protect them accessing the resources we need to protect,” he said.
He explains to stakeholders things like how to secure lateral movements, such as when customers enter an interface and then navigate over to a database.
But with employee data journeys, it’s more complicated. Making sure they’re logged in safely is one thing, but the theft of employee credentials is a chief threat vector.
Leadership should understand how security controls can protect the employee data journey, but also what happens when employees go out to the internet.
“How do you protect my access, you know, from that typical phishing email, somebody emails me?”
Business email compromise is where criminals make the most money, Winterfeld said, noting that many studies show that employees can put organizations at risk with appeals to personal interests.
He used himself as an example of a potential cyberattack victim.
“Hey, Steve, we see you’re really into disc golf or frisbee golf,” he ventured. “Come to this site, we can give you a new frisbee for interacting with our marketing campaign. Well, I’m gonna click on that ’cause I will put the company at risk for a frisbee any day.”
The HIMSS 2022 Healthcare Cybersecurity Forum takes place December 5 and 6 at the Renaissance Boston Waterfront Hotel. Register here.
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS publication.