Healthcare Security Success Requires Engagement and Mutual Understanding of Risk Tolerance

We all know that security attacks are at an all-time high. While there was some talk of hackers giving healthcare a break amidst COVID, it’s clear that hackers are calling fair game on healthcare institutions now whether they took a slight break or not.  Is your healthcare organization ready for these attacks?

The unique security challenges healthcare organizations face was highlighted really well on a recent CIO and CISO roundtable with a wide variety of healthcare organizations we hosted with Dell Technologies and VMware.  Whether it’s the need to share data in healthcare that’s opened us to new vulnerabilities, or the explosion of new endpoints being used by patients and staff, there’s an important learning curve healthcare’s going through to securely allow for these new modes of providing care.

Plus, it was aptly pointed out that healthcare clinicians largely got into healthcare because they want to help people.  When a phishing email gets sent to a nurse or doctor, their natural instinct is to want to “help” by clicking on that link.  Needless to say, securing a healthcare organization is a challenge.

Everyone in the roundtable agreed that you can’t create a completely fail-safe environment.  In fact, one CISO suggested that you kind of have to choose the punches you are going to take since you can’t block everything.  In fact, he took it one step further and offered a great framework for discussing and building a mutual understanding of risk tolerance when it comes to your security efforts.

Here are the five areas you can use to engage your board and your healthcare organization around risk tolerance:

  • Assets
  • Threats
  • Vulnerability
  • Likelihood
  • Impact

The healthcare CISO suggested that an engaged organization that openly discusses these topics will help to create a mutual understanding of what security risks are out there, what the organization has done about them, and areas where they have chosen to take a risk.  That’s not to say that there won’t be constructive friction about what option is best and what path should be taken, but this type of engagement helps everyone get on the same page when it comes to your organization’s security posture and the culture of security that has been created at an organization (or has not yet been created).

Another area of good discussion was around the need to look at how your organization is approaching each of the following security areas:

  • Prevention
  • Detection
  • Response
  • Recovery

One CISO suggested that understanding how you’re doing in one area can often save you money in another area.  For example, if you’ve put a lot of effort into preventing breaches for a certain asset, then maybe you don’t need to invest in the top AI detection agents for that asset.  A more basic detection agent might be sufficient.  Of course, if you haven’t invested in prevention (i.e. 2-factor authentication because it inhibits ease of use), then you may need to invest in a higher quality detection agent.

The reality is that no security program is going to be perfect.  However, it is important that it continues to mature over time.  One participant also noted that this maturity needs to happen across people, process, and technology.  It’s not enough to just upgrade to new technology.  Security requires a mature approach to people, process, and technology to be effective.

Learn more about Dell Technologies Secure Care solutions.

About the author

John Lynn

John Lynn

John Lynn is the Founder of, a network of leading Healthcare IT resources. The flagship blog, Healthcare IT Today, contains over 13,000 articles with over half of the articles written by John. These EMR and Healthcare IT related articles have been viewed over 20 million times.

John manages Healthcare IT Central, the leading career Health IT job board. He also organizes the first of its kind conference and community focused on healthcare marketing, Healthcare and IT Marketing Conference, and a healthcare IT conference,, focused on practical healthcare IT innovation. John is an advisor to multiple healthcare IT companies. John is highly involved in social media, and in addition to his blogs can be found on Twitter: @techguy.

Add Comment

Click here to post a comment