For healthcare leaders, there’s no prospect more frightening than a cybersecurity incident. “It’s the one thing that keeps me up at night. It can happen at any time,” said Rich Temple, CIO at Deborah Heart and Lung Center. The true nightmare, however, would be if a breach happened because the organization didn’t do everything possible to prevent it.
“No one wants to say, ‘we weren’t careful enough and we got hit, and now our business has been profoundly affected by it’,” he noted. And although there are no foolproof methods, there are steps leaders can take to build a solid defense. During a recent discussion, Temple and co-panelists Chani Cordero (CIO, Brooke Army Medical Center) and Brian Reavey (CISO, Protenus) outlined some of the challenges they’ve faced in developing and maintaining a solid cybersecurity posture, and how they’ve worked with partners to address them.
The most pressing challenge, not surprisingly, is a lack of resources, according to Cordero. “I don’t think any healthcare facility has enough cyber-personnel and assets. Everyone is stretched thin.”
At Deborah Heart and Lung Center, which includes an 89-bed teaching hospital and a full-service ambulatory care center, the hurdles are similar, said Temple, who referred to his team as “small, but very mighty.” As a result, “the bad guys are always one step ahead of us, and we’re always playing catch up. They find something, we learn about it, we patch it, we move on, and we hope that nothing happens,” he noted. “We’re always in chase mode.”
When solutions don’t deliver
And that, as any leader can attest, isn’t an ideal scenario, particularly given the crowded market of cybersecurity solutions — some of which have overpromised and underdelivered. In Cordero’s case, it was a monitoring tool that was designed to identify which applications were on the network and whether patches were needed. The problem was the hardware wasn’t robust enough to handle that much background activity, meaning the team had to purchase more RAM and memory, she recalled. “That’s an additional cost we didn’t factor in when we purchased the tool. It was very painful for the organization to go through.” It was also an important lesson: before making a purchase, it’s critical to try to determine how resource-intensive a program might be.
Of course, it’s not an exact science, noted Temple. “You can only make decisions based on the knowns, or on the unknowns that you think you might be able to absorb.” His team also hit some roadblocks with a network monitoring tool; in this case, however, the problem was in getting too many notifications. “It was driving us bonkers,” he said. “When you have all these alerts, the vast majority of which are noise, you start getting alert fatigue, and you might miss something really important.”
Fortunately, they were able to work with the vendor to load the latest indicators into the firewall, which cut out a lot of the noise by enabling early interventions. Even the most well-intentioned tool, they learned, can continue to disrupt workflows and frustrate users if it isn’t configured properly. CIOs and other leaders, he added, need to “strike that balance of, ‘how do I proactively mitigate against these before they hit,’ with, ‘how do I make sure that our teams are chasing things that have the potential to be dangerous and not just swatting at random flies?’”
It’s no simple task, said Reavey, adding that vendors also find themselves stretched thin because of “the breadth of responsibilities we have working in a regulated industry” and navigating the cloud environment. “It can be scary,” he said. Through its SaaS-based platform, Protenus aims to provide customers with “a level of comfort” by helping navigate privacy and compliancy requirements and manage other challenges.
Alert fatigue
One of those is alert fatigue, which has become “a really hard problem to solve,” said Reavey. For that reason, Protenus has adopted a risk-based approach whereby customers are alerted to the top 10 percent of suspicious activities, rather than being flooded with notifications.
“You can’t possibly look at every single alert,” he said. “You’re going to get overwhelmed.” Instead, his team sorts through the alerts and data, and makes recommendations. Doing so, he added, provides “a way for the organization to intelligently triage, especially at the beginning of an engagement.” From there, teams can build the confidence and knowledge needed to sift through alerts more efficiently, and create a safer environment.
Before that can be done, however, it’s important to establish expectations and ensure the building blocks are in place. “There’s a lot of promise around, ‘this tool is going to save you. You won’t have to hire three more security engineers if you buy our product,’” said Reavey. In reality, however, it’s impossible to know how effectively a solution will function in a new environment. “Do you have the right processes? Do you have to update your policies and procedures? It’s a lot of work to bring in something new like this,” he added. And if users don’t believe that work will lead to a better experience, it’s as good as dead. “I can buy the best tool in the world, but if my security engineers hate it, they’ll quit.”
Or, noted Cordero, they’ll develop workarounds that will prevent the tool from doing the one thing it was designed to do: improve patient care. “It will do the opposite, because they’re no longer using it,” she said.
On the other hand, if users feel that their needs are being heard and addressed, it can make a big difference, stated Temple. “We have to feel their pain. I think that’s a key part of being a CIO,” he said. Whether the issue is fixable or not, “we need to communicate with them and say, ‘I hear you. I don’t have the answer now, but we’re looking at it.’ That will get you 80 percent of the way there.”
Culture of safety
The final — and arguably most important — component in working to secure organizations is in establishing shared ownership across the enterprise, said Temple. At his organization, “We don’t define cybersecurity as my network engineers in their corner of the building,” he noted. “Cybersecurity touches everything. It’s not just information systems. As long as everyone buys into that, it becomes woven into everything we do. That’s how you promote organizational culture.”
And there’s more than one way to do it. While Deborah Heart and Lung has created a cybersecurity administrative committee to vet policies, procedures, and workflows, Brooke Army is kicking off a lunch and learn program in 2024 that will focus first on personal security, then delve into the professional space.
Through offerings like these, Temple and Cordero are making major strides toward bringing cybersecurity “out of the cocoon of technology” and into an enterprise-wide priority. Doing so will only become more critical in the coming years, noted Temple. “This is where, as a CIO, you have to have a bit of a marketing perspective as well. You have to brand cybersecurity as something that’s vital. You have to get the message out to the right people and get them enthused about it.”
To view the archive of this webinar — Keys to Deciphering the Resource Demands of Cyber Tools — please click here.
Share Your Thoughts
You must be logged in to post a comment.