Healthcare has a security problem.
Cyberattacks are happening at alarming rates, and they’re not happening randomly. “People aren’t breaking in; they’re logging in because they’ve stolen credentials,” said Drex DeFord, Executive Healthcare Strategist at Crowdstrike, during a recent webinar. For IT and security leaders, it means “you’re not just looking for a needle in a haystack. You’re looking for a particular piece of hay in the haystack. And that’s challenging.”
Most healthcare organizations simply don’t have the level of talent or resources needed to secure data. At the same time, leaders are fully aware that without better safeguards in place, digital transformation can become a pipe dream.
“This is something everyone is dealing with,” said Dee Young (CISO, UNC Health), who also spoke on the panel, along with Jesse Fasolo (Director, Technology Infrastructure & Cybersecurity, Information Security Officer, St. Joseph Healthcare). “It’s something we’re really going to have to watch to make sure we invest in the right places to allow our health systems to grow.”
During the discussion, the panelists talked about how leaders can leverage managed services to improve their cybersecurity posture — and where and when to apply them, and why the “people piece” can’t be overlooked.
According to DeFord, it starts with understanding the fundamental challenges with data security, which he boiled down to three components:
- Lack of available cybersecurity talent;
- Failure to execute on fundamentals, such as patches, updates, and modernization;
- An increasingly complex environment, thanks to digital health initiatives and high numbers of acquisitions.
“You have to be really innovative and creative about how you protect data in an environment where the threat landscape changes rapidly and adversaries are constantly looking at ways to take advantage,” said DeFord.
And if organizations have talented individuals, other health systems — or industries, for that matter — can easily poach them, warned Fasolo. Recruiting them back could “cost more than your entire budget,” he said. As a leader, “You’re almost forced to look at other resources both inside and outside of the organization to fill the technology and talent needs.”
The 1-10-60 Model
That’s where service providers like CrowdStrike can fill a void by taking on some of the cybersecurity tasks. But before thinking about what can be farmed out and what stays in house, leaders need to focus on outcomes, said DeFord. The primary objective, of course, is to stop the breaches that interfere with clinical care and business operations. “Those are the things we really can’t tolerate,” he noted.
One way to do that is to focus on the 1-10-60 principle: the ability to detect a threat and alert teams to a threat within one minute; confirm the threat and investigate its potential harm within 10 minutes; and isolate or remediate the problem with 60 minutes so that it can’t affect the rest of the environment. Most adversaries, however, move laterally among devices, DeFord added, with a breakout time of about 84 minutes. “If you can stay ahead of that, you’ll take a huge step toward stopping breaches. If that’s not possible, that’s the point where you start to ask for help.”
At St. Joseph’s, Fasolo’s team conducted an exercise to see if they could execute the 1-10-60 model. Based on those results, they determined that device management was a vulnerable area — as it is for many organizations. “If you don’t have a good understanding and a good handle on the thousands and thousands of devices being used, you need to partner with an organization that can help you see everything at once, on a much greater scale,” he said. Consultants can help “fill the open positions to ensure you have the level of talent needed.”
Sometimes, however, it’s not necessarily a shortage of talent, but rather, a specific skillset that’s lacking, according to the panelists. Below are some of the use cases they described during the webinar.
- Forensics and penetration testing. Although these skills can be learned, “an outside service can provide them relatively quickly and at a much lower cost” than using a full-time employee,” Fasolo stated.
- Compliance. Another area that “bodes well for external assistance” is compliance audits against your program, as well as documentation capabilities, he said. For organizations that work with outside parties to document policies, procedures or playbooks, for example, “It’s a valuable experience to bring external consultants to come in and do that work. Outside eyes are much better than your own in those circumstances.”
- SOAR. Security orchestration, automation, and response (SOAR), a collection of software programs, offers a great deal of promise, as it “adds a level of automation” that could be extremely useful, Fasolo said. However, it’s also relatively new; and therefore, he recommended using outside services. “In the world of cybersecurity, there are too many logs for any one person or one team to logically go through, run through, report out, and take actions on.”
At UNC, Young has taken a different approach, leveraging external services to take on tasks like threat hunting and other “red team” priorities. In doing so, “they’re freeing up my experts to handle those gnarly and critical problems that have legs,” instead of using their time to handle tickets. At the same time, it helps “uplevel my team, which already know the organization and its history, but might not know those particular applications or tools.”
Similarly, Fasolo’s team has benefited from the coaching and development aspect of bringing in outside organizations and sharing their expertise. However, the “insider knowledge” is as critical as with any IT initiative. “If you bring in a managed service to do a function, they’re going to rely on those who know the environment,” and can help point them in the right direction. “Those skills are vital.”
The people piece
Where it can get tricky, according to DeFord, is in asking in-house staff to take on different tasks, especially those who are used to doing the “nuts-and-bolts” type of work. “You have to be willing to upset the apple cart,” he noted. “The world has changed. The adversary has changed, and you have to think differently about how you’re going to build a cyber program to protect your organization.”
Young agreed, adding that leaders must be constantly reassessing roles and responsibilities to ensure the best people are in the best positions. “When we’re talking about staffing, one of our roles is to be strategic and look not just tactically, but at the long term,” she said. Part of that is ensuring that team members receive continuing education — not only about the technologies being used, but the direction in which the organization is headed. “It’s having those crucial conversations and helping them see where they want to go and what they want to do.”
Establishing these relationships, she noted, can help improve engagement and build loyalty. “I want to have a strength-based team,” which means “leveraging what everyone is good at and finding those technologies.”
It’s all part of an effective succession planning and professional development strategy, according to Fasolo, and it must be done on a consistent basis. “Identifying the talents of your resource pool and determining where in the organization or the team they can leverage their skills or bolster their skills” has become a critical piece in retaining good people.
In fact, DeFord believes it’s “incredibly important” to put in the time needed to “position your staff to be ready for any change that can make the program better,” whether it’s with in-house staff, outside expertise, or a combination of the two.
It’s challenging, he said, but “so is the need to constantly improve the cyber posture of a healthcare organization today.”
To view the archive of this webinar — Strategies for Leveraging Managed Services to Augment Your Cybersecurity Team — please click here.