A Virtual CISO Can Help Boost Security and Compliance in A Distributed Healthcare World

The following is a guest article by Ken Jenkins, Co-founder and Principal at EmberSec.

Cyber adversaries continue to hone their capabilities and the sophistication of their attack methods, particularly during the pandemic as healthcare organizations are expanding to remote methods of care. As threats evolve to take advantage of health systems under strain, it is more critical than ever to leverage the expertise of a CISO to assess and mitigate risk, execute a strategy to protect patient data and systems, and foster a security-aware culture. For an organization that does not have a CISO on staff, a virtual CISO is a viable option.

A vCISO can assess and manage the many challenges that balancing security and business continuity pose. Since many vCISOs work across sectors and industries, they can offer broad and deep knowledge and practice on security, risk and compliance issues that a healthcare organization needs to constantly track and manage. Additionally, a vCISO has the influence to gain a seat on the Board and can clearly communicate the organization’s risk, what’s working and what’s needed in terms of security posture, and how the company’s security practice fits into business strategy and decision making.

Here are four challenges a vCISO can help healthcare organizations address:

The budget is tight. Budgetary restrictions can be a major impediment to hiring and retaining the talent necessary to address security challenges. In the absence of security leadership, many organizations lean on IT managers or distribute responsibilities across staff to incorporate security into existing processes, which can result in fragmented policies and limited support that leave systems vulnerable. Alternatively, a vCISO can onboard quickly and offer security expertise and leadership on policies, employee training and awareness, and business continuity without the costs associated with recruiting, hiring and employing the role in-house.

There’s a lot of valuable data to protect. Healthcare organizations produce more data than ever, and keeping track of it is the first step to securing it. A vCISO can identify what data needs to be protected and how the data should be governed, and determine the negative impact on the organization, whether regulatory, financial or reputational if not correctly protected. Research has shown that a healthcare record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card).

The attack surface continues to evolve. The advent of more modern technologies, such as Internet of Things (IoT) devices, expands the attack surface and increases risk because they are inherently insecure and difficult to upgrade. Additionally, with the recent surge in telehealth, the risk of not only data sharing, but delivering remote care via applications and mobile devices, could come at the cost of data privacy and possibly result in non-compliance. As a result, healthcare organizations must remain vigilant about tracking external and potential internal threats. A vCISO can bring immediate value by assessing what technologies and systems are in place; determining the probability of threats; quantifying the impact they could have on an organization; and making recommendations for continuous improvement.

Healthcare is highly regulated. Virtual CISOs bring a wealth of expertise on regulatory standards and compliance. For organizations considering hybrid or public cloud infrastructure, there are many compliance considerations for regulations like HIPAA, CCPA and GDPR. Organizations must identify the right frameworks, such as NIST or HITRUST, to guide security program development, and a vCISO can ensure they meet reporting standards.

The rise of telehealth and constant evolution of threats require healthcare organizations to prioritize investment in security leadership. Those facing budget limitations or other challenges should consider a vCISO as an excellent alternative to employing an in-house CISO. With extensive security expertise and breadth of knowledge, a vCISO can provide the leadership and support healthcare organizations need to achieve cybersecurity maturity and build a security-aware culture.