It’s no secret healthcare has struggled to keep up with a rapidly evolving cybersecurity landscape. It’s a challenge for every business and industry, but healthcare companies have unique concerns. They deal with extremely sensitive information, which is heavily targeted. Hospital groups and health systems often are built over years of acquisitions, resulting in a patchwork of different systems, governance structures, policies and procedures.
"Before committing to a new system or vendor, you need to know what business problem you want to solve"
Yet as healthcare becomes increasingly more digital, cybersecurity is one of its greatest business risks. The safety implications are staggering: If a medical device is compromised, or someone maliciously changes the blood type in a medical record, people can die.
In my role with Premise Health, I confront many of these issues every day. However, I’m fortunate not to do it alone. We deliver onsite, near site and virtual health to organizations, many of them the nation’s most respected and innovative employers. I’ve benefitted from this visibility into the standards, experiences and best practices of companies with very mature risk management functions. Here is what I have learned.
As Technology Leaders, We Must Understand the Business of Our Organizations
Too often, the information security department acts like the policy police. But our job is not to say no to things. It’s to empower our company to operate at the highest level of risk possible without jeopardizing its strategic business objectives. That means understanding what those objectives are, as well as the organization’s tolerance for risk.
When technology leaders understand the business, security protocols can drive efficiencies instead of slowing everyone down. It creates a win-win scenario, which changes the culture around security, builds support and enhances compliance. For example, when we implemented a security management program for vendors at Premise, we were able to identify redundancies and address them. Now, instead of 30 different vendors providing the same service, we might have three close partners. We can help to proactively mature their security posture and establish a trusted advisor relationship where they are comfortable disclosing risk and looking for guidance. We’re more secure and more efficient.
If You Aren’t Thinking Three to Four Moves Ahead, Then You Are Falling Behind
The adversaries have the advantage. They are singularly focused, with no departments to run or laws to follow, which makes it easier to stay on the leading edge. To keep up, we have to think three to four moves ahead—and help our organizations do so, as well.
In practice, thinking ahead means being aware of all of your vulnerabilities, including vendors and supply chain. As more organizations have moved operations to the cloud, risks have multiplied. You cannot drive a successful strategy looking in the rearview mirror at yesterday’s breach. The cyber storm of tomorrow will be different than it was yesterday. You need to look at security from a big picture perspective and see beyond your own four walls (and tactically, you need a vendor risk management strategy).
Thinking ahead also means not being afraid to take a stand. The law is inherently behind technology, which means security leaders often find themselves operating in grey areas. For many issues, you will have to do the research, take a position, and then justify it. In most cases, it’s better to move forward proactively, even in the face of uncertainty, than to wait for clear direction—which may never come.
For example, I needed to make a lot of proactive decisions with the launch of our virtual health product. Where is the video stored? Where are the regulatory lines? How do we retain the intimacy of an office visit in an online setting, without jeopardizing privacy? It’s complex, but worthwhile. The alternative is that our members and their families miss out on the benefits of 24/7 access to care.
Technology is only a tool. It can’t save the world
Obviously, technology offers many benefits. But every new product you bring in will present new risks and require someone to run it. That’s why smart organizations are focusing on people and training first, technology second.
Before committing to a new system or vendor, you need to know what business problem you want to solve. It’s wise to invest in fewer technologies, but with better security management and stronger vendor partnerships. To illustrate the point, just imagine the Great Wall of China. It starts as a formidable barrier, but is crumbling by the time it reaches the Gobi Desert. You can only extend so far before you will be stretched too thin.
Relationships with other leaders and governing bodies are critical.
Navigating security risks is complex work, and it’s helpful to have friends in the industry. I always recommend that technology and security leaders develop relationships with their peers and governing bodies.
At Premise, we work closely with the National Health Information Sharing and Analysis Center (NH-ISAC) to stay up-to-date on cybersecurity threats. Our relationship with this organization offers the benefit of getting immediate alerts so we’re ready for the phishing attack of the day. But we also have the opportunity to ask questions and see how others are approaching challenges as they arise. It’s a great partnership and highly necessary in a field that moves so quickly.
As the healthcare industry and technology continue to change, our best defense really is a good offense. We need to build teams and develop partners, both within our organizations and outside of them, to stay ahead.