Tips for a CISO Navigating Health Care Cybersecurity Standards
Every C-level leader in the health care sector is well-versed and well-practiced at meeting compliance requirements unique to the industry. But it’s difficult for the chief information security officer (CISO) to bring organizational cybersecurity up to standard. While there are standards, such as those from the National Institute of Standards and Technology (NIST) and HITRUST, there’s no single, industrywide benchmark to define accountability.
“Right now, you have multiple sheriffs on the road, all saying they have different speed limits. So which is right, which one is wrong?” asked Aaron Miri, chief information officer at Dallas-based Walnut Hill Medical Center, in FierceHealthIT. “NIST is a fantastic framework, HITRUST is a fantastic framework, but which one is it? Which one am I going to be held accountable to?”
Adding to the CISO’s headache is the growing complexity of health care IT systems, which may range from higher demands for big data and analytics to the use of siloed, heavily regulated and technically problematic electronic health records (EHRs). Disparate data and systems are hard to protect, especially when the complexity in and between them is growing, too.
Four Tips for a CISO
Here are a few tips CISOs can apply to navigate this quagmire and build a strong health care cybersecurity framework.
1. Collaborate With the Entire C-Suite
The demands on IT and InfoSec are so high these days that it’s easy to get locked into a silo. The problem is that while you have your head down, you and your staff can be blindsided by threats you didn’t see coming, shadow IT rebels introducing new vulnerabilities and complaints from business users who find security processes bottlenecking their progress.
Begin to unravel these untenable situations by establishing a close partnership with the rest of the C-suite and getting a clearer understanding of company goals and division plans. You can also achieve buy-in more easily when everyone feels they have a say and a stake in the overall cybersecurity effort.
Security leaders will also benefit from the rest of the C-suite’s input and support on which cybersecurity standards take precedence in the organization’s policies. A united front is protective against unwarranted criticism from regulators and other entities.
2. Build Networks With Other CISOs — Even Outside the Health Care Industry
Sharing information on both threats and cybersecurity fixes is the fastest, most efficient and best way to build and maintain an effective cybersecurity effort. It’s important to note that security professionals across industries will have valuable threat intelligence and information to offer, so communications don’t have to exist solely in the health care sphere. Other sectors — with widely adopted security standards — can become models for your organization’s own framework.
3. Map Business Processes
By mapping business processes, you can more clearly see where unaddressed complexities and bottlenecks lie. This will provide insight into where IT systems need tweaking and what vulnerabilities need addressing, helping CISOs realize what areas need to be covered by security standards.
4. Outline Human-to-Process and Human-to-Human Relationships
Mapping relationships means looking into behavior patterns. By establishing a baseline of normal individual behaviors in work processes, you can more easily distinguish abnormal behavior, which can often signify security threats. Behavioral analytics will go far in rapidly and accurately completing this work.
Although this process may seem tedious, it helps CISOs understand where the greatest vulnerabilities lie, what threats they may have to plan for and which areas require the most attention when setting up security standards.
In short, become more intimate with how your organization works, why it operates that way and where it hopes to go. Once you know that, spotting threats becomes easier and your path forward in building a stalwart cybersecurity framework becomes far more clear.