Practical Tips for a Risk FrameworkHealthcare CISO Offers Insights on an Action Plan
Managing change is challenging, and adoption of new processes takes time, staff and funding. Without a champion, and without dedicated early adopters, most disruptive changes are prone to fail. There must be an activist board member, an engaged CIO or a passionate privacy or information security officer to lead the way.
See Also: Creating a Culture of Security
Given the intense service delivery demands upon healthcare, most organizations don't have the resources - or the will - to adopt a new risk framework.
A simple plan executed today is better than a grand plan that does not survive administrative review.
Still, change comes out of necessity or innovation. The rapid rise in cyber-attacks on healthcare organizations necessitates the use of a cyber-centric framework. Recent incidents, including the hacking attack on Community Health Systems, show healthcare is an easy target.
The business view of risk management must adjust to include the increasing and pervasive threats to information security and privacy. For healthcare, requirements align nicely with the National Institute of Standards and Technology's Cybersecurity Framework, as I described in an earlier blog.
If your organization has a well-integrated risk program, you need not adopt a new one. For the rest of us, NIST's standards for risk management are an excellent foundation. Specifically, see special NIST publications SP 800-30, 37, 39 and 53+A.
If your organization doesn't have the internal resources to sort through this, seek out advice from others, including regional or national healthcare associations. They can provide guidance and connect you with member organizations with mature processes ready to support your efforts in adopting best practices.
Where to start?
So what's the best way to begin the journey toward creating a risk framework for your organization? Start with a simple spreadsheet. A cybersecurity-aligned sample will get you started, or stimulate ideas. Here's a sample I prepared that you can download and use.
Also, check out SANS Institute's top 20 critical security controls if you're not sure which risks to address first.
From a cybersecurity perspective, the weakest link in the information security chain may not be your network of controls, but your affiliates - your business associates or vendors. Your risk framework should include the full scope of information flow into, out of and through your organization.
The objective of a simplified risk framework is agile response. Proactive is the key word. A simple plan executed today is better than a grand plan that does not survive administrative review. That means start small. Do something today that makes a difference tomorrow. Speak with your organizational risk manager and align you concerns with theirs.
Also keep in mind:
- Experience shows that early detection and rapid response directly reduce risk exposure and remediation costs;
- Medical device security is a very serious concern. If your risk framework is not aligned to an Internet-facing, mobile, cloud, Internet of Things world, your exposure is unknown, and unknown risks are unpredictable and costly.
Suggestions and Next Steps
Healthcare organizations can do more to pool their collective security and privacy best practices for the advantage of all. The growing interdependence of healthcare service providers calls for a collectively higher standard of collaboration. That includes participation in intelligence-sharing organizations, such as the National Health Information Sharing and Analysis Center, for example.
When the NIST Cybersecurity Framework was released in February 2014, my suggestion was for a shared repository of security policies, process workflows, checklists, templates, questionnaires, education and awareness modules. Imagine how many thousands of hours could be saved, each year, if the combined best practices of healthcare were pooled and freely shared. A close reading of the NIST Cybersecurity Update shows this as a common request in all sectors.
One size does not fit all, but a security risk template that works for one organization will contain the core elements another organization could build upon.
It's important to remember that risk assessments conducted annually don't provide the intelligence required for daily compliance or adequate security. That's because cybercriminals operate at the speed of the Internet. An annual snapshot is not sufficient; it must be one part of a continuous risk-aligned analysis program. NIST's offerings are an excellent starting point for action.
Paidhrin is the security administration and integrity manager in the compliance division of PeaceHealth, a healthcare delivery system in the Pacific Northwest, where he has worked for 14 years. Earlier, he worked in higher education, as well as in private sector and entrepreneurial ventures, where he held a number of director-level positions.