There’s a new normal when it comes to cybersecurity audits. Whereas at one time it was a rare event, now organizations like Main Line Health have become accustomed to unannounced visitors, whether it’s CMS, the FDA, CISA, or any number of agencies. “We’re audited constantly, both internally and externally, to make sure we’re meeting regulatory compliance requirements,” said CISO Aaron Weismann during a panel discussion.
Audits are coming hard and fast, and leaders are, understandably, feeling the heat, according to Chris Logan (Chief Security Officer, Censinet), who also served as a panelist, along with Rob Marti (VP of Solution Engineering and Field CTO, Tausight). “The pressure is on to know what’s happening in your environment and to be able to quickly notify investors and regulators to drive accountability.”
And, as the experts pointed out, it isn’t just governing bodies who are doing the asking. CISOs and other leaders must answer to EHR providers, cyber-insurance companies, and even those within the organization — including Board members and customers.
“As we implement new technologies, the board is absolutely asking questions about what’s going to happen in the event of a ransomware attack,” said Weismann. “Every single customer is asking me what I’m doing to protect their information. I’m being bombarded, not just by the regulatory agencies.”
It can be quite overwhelming. And so, perhaps the best course isn’t to try to eat the whole pie at once, but rather, to cut it into digestible pieces.
“No shortage of oversight”
The first step is focusing on what auditors are looking for — which, according to Weismann, is a lot. “At a high level, they’re looking at policies and procedures,” he said. “They want to make sure we have our security requirements and documentation in place, and that we’re checking all the boxes. In short, they want to know that we’re doing our due diligence.”
The challenge — or at least, one of them — is that ‘they’ (i.e., the governing bodies) aren’t necessarily in step as to what they’re asking of health systems. “There’s no shortage of oversight,” said Logan. “No two agencies are asking the same thing. We’re being asked the same question four different ways, and yet, we have to provide four different responses.”
This “lack of commonality,” as he termed it, has made it more difficult for cybersecurity teams to position themselves for compliance. It also results in organizations adopting a reactive approach, which is the opposite of what needs to happen, Weismann noted.
The goal, in fact, is to be “audit-ready at all times,” which starts with basic measures like ensuring the technology infrastructure is “up to snuff to safeguard us from attacks,” he said. At Main Line Health, that includes doing internal and external penetration tests — and providing visibility into what they find.
“We do third-party risk assessments. We do architectural reviews and check-ins with our managed service providers to validate the services that they’re providing and the quality of those services,” noted Weismann. In doing so, they’ve developed a trust framework to ensure users that they’re doing everything possible to mitigate risk.
Of course, no method will ever be 100 percent effective. “Health systems are complex by nature,” said Marti. Subsequently, they’re difficult to protect, particularly in areas like supply chain that aren’t very visible.
The question becomes how to gain control of those situations, according to Logan. “It all boils down to the simple fact that you can’t secure what you don’t know you have.” Maintaining proper inventory of, for example, where ePHI sits, can empower leaders to “make plans and start to manage the actual risk that’s out there aside from the regulatory and compliance checklists,” he noted. “Let’s get to the point where we can identify the vulnerabilities that actually run the risk of creating a negative patient outcome or a material impact to our business. Let’s focus where it matters.”
What doesn’t matter is complying with overly stringent and complex password controls when multifactor authentication is in place, according to Logan. And yet, questions about compliance always seem to come up, which can leave leaders feeling frustrated. “It’s amazing to me how we haven’t grown in this regard to keep up with the technology controls,” he said. “We’re asking compliance questions that just don’t matter.”
Marti agreed, adding that extra steps like having to reset passwords — a process that has become superfluous — can interfere with patient care, which simply isn’t acceptable. “Passwords are expiring because we haven’t yet figured out how to adopt it and satisfy the regulator in it. And so we end up burdening the very people that we’re trying to free up,” he said.
Further complicating matters is the fact that CISOs and other leaders have to contend with recommendations from oversight committees, which are often at odds with physician preferences, noted Weismann. “We’re being pulled in three directions. We have new best practices that we have to figure out some way to implement, whether or not it works,” he said. “We have auditors with certain expectations. And we have providers who log into different PCs 60, 70 or, 80 times a day. And that is a serious disruption to their work.”
Trying to balance those competing needs is difficult, to put it mildly. “We want to stay in compliance while making sure we meet the needs of our customers,” he added. “It’s maddening because you end up feeling like you’re not satisfying anyone, and you still have to drive good security.”
On the other hand, by working with partners like Tausight and Censinet to move technology and controls into the background, leaders can help give clinicians more time at the bedside. “We’re changing how we log into and interact with PCs,” Weismann said. And while using tools like tokenized authentication hasn’t made all providers happy, it has helped streamline workflows, which is hugely important. “We try to leverage security solutions that are going to improve the lives of our users.”
That, of course, is the ultimate goal, and it’s where cybersecurity leaders should be focusing their attention, no matter how many auditors come knocking. “We’re doing our best. We’re running a thousand miles an hour with limited resources and funding,” said Logan. As such, leaders need to identify the risks that could have the biggest impact on the business, and be able to “demonstrate that to the auditing body in a way that says, ‘This is enough.’ If you’re understanding your risks and addressing them, that should be enough.”
To view the archive of this webinar — Keys to Running an Audit-Ready IT Shop (Sponsored by Tausight and Censinet) — please click here.