A CISO’s Perspective on Security Strategy and Governance

The following is a guest article by Gerry Blass from ComplyAssistant

Did you know that healthcare organizations thwart thousands of phishing and malware attacks every day? With the increase in the volume of attacks, we’re also seeing an increase in the number of data breaches. In fact, recent data from the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) shows there were 365 breaches in 2018. That’s one per day.

With thousands of threats coming your way daily through firewalls, endpoints and compromised websites, how can you ensure your healthcare organization’s data is protected? Guarding protected health information (PHI) and other types of data is a complex, and potentially overwhelming, undertaking. With the right strategy, however, you can focus and prioritize your efforts… and your budget.

In my role as a former CISO at a large health system, I was responsible for a wide range of tactics designed to improve my organization’s risk profile and protect our patients. For organizations of any size, I recommend focusing on four areas.

1. Know where your PHI lives

Just a few decades ago, PHI was housed in only a couple of places, such as paper charts and perhaps a mainframe. Now, it’s not uncommon to find PHI in nearly every corner of a healthcare organization.

A colleague of mine – the CISO at a large health system in the northeast – explains, “We document and report on PHI vulnerabilities using the 80/20 rule, including servers, interfaces, cloud applications, electronic health record (EHR) systems, third-party vendors, email access, laptops and more.”

While these examples are more obvious locations of PHI, you should also consider the places where PHI could be hiding—potentially at higher risk. For example, if you have a bring-your-own-device (BYOD) policy for clinicians, personal mobile devices can be a prime location for hidden PHI. What about the old hardware sitting in a basement or storage area? Has confidential data on those devices been properly removed and disposed of? Do you have remote staff who access and use PHI? What protocols are in place to protect data not located within the walls of your facility?

2. Devise a defense strategy

With any PHI or confidential information, consider the risk of any point of access. Due to the continued development of new connected technologies, access points are more prevalent. Think about the recent uptick in breaches that have occurred through network access of a medical device.

“Within our healthcare organization, we use a defense in depth strategy,” the CISO explains. “We have seven levels of mitigation strategy that cover governance, risk, compliance, and identity and access management. Defense in depth is a pyramid structure with policies, procedures and awareness as the strategy’s foundation, with data protection as the pinnacle focus.”

The CFO plays an essential role here. Budgeting for a defense in depth strategy is a year-long endeavor, so financial leadership needs to be included and engaged in security and compliance efforts. Make your gaps and needs transparent to the CFO when they arise, not just at budget time.

Once your strategy is set, you can then begin to establish a tactical action plan for risk mitigation.

3. Measure and report

Information is a commodity these days. With nearly unlimited metrics, you could spend all your time gathering and analyzing data. Instead, focus your time, energy and resources on the data that will be most meaningful to support your defense strategy.

From a CISO’s perspective, a Governance Report Card can be a valuable tool to make sure you’re gathering and reporting the most relevant data. A standard Governance Report Card should be updated quarterly, and include the following:

  • Average risk score and average maturity score
    Trend these over time to watch for inconsistencies. Your risk score should trend down; your maturity score should trend up.
  • ePHI vulnerabilities and locations
    Earlier we talked about knowing where your PHI lives. Take the next step in understanding the level of vulnerability and risk with each location.
  • Third-party vendor vulnerabilities
    Manage your riskiest vendors. Frequent audits of business associates (BAs), downstream BAs, and medical device vendors will reveal the highest risk areas. Focus here first, and then work your way down the list.
  • Results of simulation tests and training
    Empower your employees to speak up. Digital training and testing can only go so far. You want your staff to feel comfortable in calling out risk when they see it, not just when they are being tested.
  • Cloud and policy/procedure audit results
    Watch for anomalies in the data each time you perform audits. Are there new areas of risk that you didn’t expect or plan for?

Here again, the CFO’s role is paramount. As a member of your steering committee (more on that below), your CFO should have access to and use the data you provide to make important budgetary decisions. Do you have resource gaps? Do you need to hire FTEs or outside expertise? Do you need to make some capital investment decisions? Ongoing review of the above data points will enable the CISO and the CFO to be better informed, and prioritize budget and resources.

4. Establish top-down governance
Governance around information security and compliance is the responsibility of the entire organization. It takes diligence from every single department and every single employee to protect PHI from falling into the wrong hands. Part of my role included coordination and collaboration with my C-Suite counterparts. I was in constant close contact with our CFO, who attended our HIPAA Steering Committee. His role was to assess the potential impact of breaches from a financial standpoint, including penalties, lawsuits, and cybersecurity insurance policy terms.

“The governance structure should be a top-down approach,” states the CISO. “It really begins at the board level with their own responsibilities. From there, the senior leadership team, IT steering committee and CISO have defined ownership and accountability for the protection of data.”

Under CIO leadership, the IT steering committee should include representatives from disciplines across the organization—operations, compliance, risk, finance, human resources, IT, health information management, facilities and legal. This group should review the Governance Report Card on a quarterly basis and recommend decisions on mitigation plans. Individual task forces can then carry out the action plans deemed necessary.

Financial leadership is a crucial member of this committee. The CFO and the finance team must be aware of security gaps, improvements or declines in process and procedures, any impending threats, and the impact of any operational changes to security and compliance efforts. In doing so, you can help ensure that the financial aspect of supporting security and compliance becomes a strategic, foundational effort, rather than an afterthought.

The bottom line is, you have to start somewhere. Attackers are constantly looking to infiltrate our systems to access our data. Think like an attacker. Find out where your vulnerabilities are, because that’s exactly what attackers are looking for. Prepare and execute your defense strategy and have a multidisciplinary governance model in place to mitigate risks, regardless of location in the organization.

Gerry Blass is President and CEO of ComplyAssistant. Contributions also made by Robert J. Babin, Director of Strategic IT/CISO at Saint Peter’s Healthcare System.