Not all cybersecurity products and services are created equal
In repeated healthcare surveys conducted in 2019 and even into this year, providers indicate that cybersecurity is a growing threat and one that presents a clear risk to operational continuity, said Richard Mackey, senior vice president of IT for Intalere.
For instance, in Gartner’s 2020 CIO Agenda: A Healthcare Provider’s Perspective (November 2019), almost all responding healthcare CIOs now have or are planning to implement cybersecurity technologies during the next 12 months.And 54% note that cybersecurity is a focus area for 2020 with increased investment and spend planned for this area.
The reason for that increased investment is that according to some industry statistics, as many as 1 in 5 health systems have recently dealt with some form of instability related to a cyberattack, whether it is to the network in general or to a specific area. “If anything, those numbers may be underrated,” Mackey said. “It’s a very common occurrence, even for smaller organizations.” In fact, in some cases smaller organizations may be more vulnerable to attack because the hackers are savvy and understand smaller institutions may not have the latest investments in some of these tools and services, Mackey said.
Cybersecurity as a field has been booming during the past five to seven years, said Mackey. During that period, the growth rates for products and services touting cybersecurity solutions has hit double digits year over year. “There is a tremendous need, interest and high demand,” said Mackey.
Needs vary
While commodity IT goods and services have long been available in Intalere’s portfolio, the area of cybersecurity goods and services is newer and more specific, Mackey said. One of the biggest challenges related to cybersecurity is scale. Needs can vary greatly among Intalere members due to the differences in size and scope.
“Cybersecurity needs vary depending on the size of the organization, the resources invested to date, the class of trade and more,” said Mackey. “We have worked with members to help deliver a custom cybersecurity assessment that delivers a prioritized plan with investment to meet its short- and long-term goals.”
A variety of themes and subject areas are often involved, including:
- Securing assets and information (data loss prevention)
- Identity and access management for users in the organizations
- Tools and services that focus on the events themselves (often referred to as security information and event management)
- Security aspects of the devices which reside in organizations, whether they be computing focused (mobile device management) or clinical in nature (medical Internet of Things (IoT)).
Another challenge is separating “hype from value,” said Mackey. In 2019, Intalere formed a cybersecurity advisory board to respond to this industry need.It is comprised of leading information security professionals from provider organizations.Its purpose is to help separate hype from value and provide members with resources and information that allows for investments to strengthen their organization’s capabilities.
“When we talk about the hype, it’s not uncommon for some vendors to take what they’ve been doing for years and slap a cybersecurity label on it, looking to justify a higher premium or how they charge,” said Mackey. “It’s that kind of a hype factor that sometimes can be misleading to someone in compliance, supply chain or clinical operational settings that aren’t as close to the IT category. They see the term cybersecurity and are interested, and a lot of the time there’s not a strong focus or there’s not something that differentiates the product that warrants such a high premium. That’s what we talk about – separating the hype.”
Intalere delves into the value proposition by reviewing best practices by members of the board.
“In some cases we are looking for a portfolio of solutions that are just as applicable for a small acute facility anywhere in the country as would be for a larger system, or even for a non-acute surgery center chain or group long-term care facilities,” said Mackey. “Being able to pressure test possible solutions with our board is what we’ve found to be the most useful way to separate those things that may be more of a fad, or trendy with a label of cybersecurity, that may in fact just be the same product or service that’s been out in the market for five to 10 years and yet people are trying to reposition it as a cybersecurity offering.”
Resources
Resources which have been created or made available from the work of the advisory board are in the area of starting and growing a cybersecurity effort, cybersecurity insurance and cybersecurity training.
If your hospital or health system’s network is frozen or held hostage by an attacker, cybersecurity insurance can often be the most valuable investment you make, according to Mackey.
“That’s one of the best practices that we recommend to all our members,” he said. “If they don’t have it today, they should consider it.”
There are different facets to cybersecurity insurance. For instance, there are operational components that will cover the costs to get a health system back up and running following an attack. There are also other forms of expenses related to recovery that cybersecurity insurance can cover, such as legal services to help with compensation or investigating the source of the attack.
Plus, cybersecurity insurance can help with assistance in how a health system manages how they represent the event in their marketplace. What is the most appropriate way to notify patients, customers and those impacted by the breach? Is the health system complying with whatever laws might be in place in their region or state?
“Those are other forms of expenses you might incur or things to work through if you are the victim of an attack, beyond just getting your systems back online and being able to do your job,” Mackey said.
Intalere’s cybersecurity resources and education help members understand if they have the right kind of policy and coverage. Smaller organizations may need help finding a policy, while larger organizations can evaluate if they have the right policy in place.
Indeed, cybersecurity insurance is no longer a supply chain or IT team-level conversation.
“This is a board-level issue,” Mackey said.
In the past, the head of supply chain or IT might have addressed the topic within their respective departments. But now, the CEO and C-suite is interested. Cybersecurity insurance is one of the most common requested topics and decision points that happen at the board level.
Training is also an important piece of a cybersecurity strategy.
“Most of the time hackers, don’t get into your network because of some breach or lack of protocol,” said Mackey. “Defenses generally work the way they should and prevent people accessing a network. Most of the time, a breach occurs because of social engineering with workers getting fooled and sending out information to a hacker’s request that looks like it is coming from a colleague, manager or executive.”
Mackey said that while yearly training is important, it is more successful if an organization will run shorter, more frequent trainings and reminders. These can be short videos sent out on a quarterly basis. Managers can also run simulations of situations that hackers may try to use to dupe workers, and if a worker does indeed get tricked, then the organization can provide education and training so they can avert the issue if it ever happens.
With these training components, Mackey said organizations are “making it more top of mind and thought about in continuous way and will have more success of being ever vigilant.”
Operational continuity
Intalere’s Operational Continuity and Emergency Management Program was established to assist members in best understanding the products and services available in Intalere’s portfolio to meet operational needs related to continuity of care, disaster recovery and more.
“Often times, members large and small may not always have the resources required to establish or update their own capabilities that are most important in times of unexpected natural or man-made crises,” said Mackey. “Knowing that operational continuity is of the utmost importance to our members, Intalere has curated suppliers that offer unique services and products in which members of all sizes and classes of trade may be interested.”