I was recently asked to write a short column on “What three things healthcare organizations can do to help protect their organizations from cyber risk and security breaches?” for the ABL Organization.
It is important to start at the top with company executives. If a healthcare firm wants to be protected from cyber risk and breaches, then the responsibility lies with company executives to set the tone. Management should not be running around with the spoken or unspoken notion that “nobody is interested in us because…
- We are too small
- My IT team is taking care of that
- I don’t want to think about it because it gives me a headache
- I don’t have the budget (which is really, I don’t really want to make security a priority)
- Security… huh? Wha…?”
Your team is extremely perceptive. If company executives harbor any one of these attitudes, I can assure you that you are in great peril. Some IT leaders can be very persistent, despite many healthcare executives expressing these attitudes, either directly or by their inaction. After a while, even the persistent will cave and assume the culture management creates that says, “we talk about security and privacy around here, but we don’t really mean it.” At that point, you have a defective and vulnerable culture regarding cyber liabilities. And if/when something does happen, as an executive, the ransomware note stops on your desktop.
So, what do I recommend, as an IT and cyber security professional for more than 20 years in the healthcare, DoD and financial sectors?
Start asking questions.
- Asking questions can be fun…Be inquisitive…Learn. Ask your team for recommendations. I am sure they have many. Ask how long it will take to implement their recommendations. Ask how much they estimate it will cost. Ask them about the outcomes they envision. Ask them how the recommended changes might provide a return on investment to operations in the form of improved operational maturity, fewer problems, and greater performance. Ask them what they perceive to be the cyber and financial risks, and regulatory costs that can come from a minor or serious breach. Let the questions lead to a meaningful conversation about the business impacts on your healthcare firm related to making changes or not making changes. If you have a meaningful conversation, you probably have a good competent team working for you. Don’t be frazzled if they suggest a risk assessment or a penetration test, or something similar from a third party. That should be expected. But if you cannot have your questions result is some solid answers and a meaningful conversation that inspires a feeling of trust, then you have to seriously consider whether you have your IT operations and cyber security in the right hands.
Review your budget and consider whether you are really spending enough.
- After having a meaningful conversation, you should have a good set of action items for all the parties involved. You should have a basic road map as to what you need to do over some defined period of time. From that framework, you can start developing a budget. Security is a broad category that can lead to many branches of various things you need to do throughout your organization. It may turn out that you have to make a very long-term plan, and in order to eat the cyber security elephant, you will need to do so one quarter at a time. ROI’s can be tough to calculate for much of this. I hate ROIs that only reach their justifiable conclusion from the vague expectation that the company can only get a return if fines or costly and embarrassing breaches are avoided; although in some cases that might be the reality. If you come to fully understand many of the activities that take place in making an organization cyber security strong, you will find that most of the creation and documentation of procedures will actually make you more operationally mature, thus improving profitability. But you have to slow down enough to see the big picture.
Keep asking questions and change your culture of laxness regarding cyber security and privacy.
- As you are making progress with improved operational maturity and cyber security, keep asking questions. You have a culture to change. Only by constantly being genuinely inquisitive about what is going on, will you be taken seriously that your healthcare company has turned over a new leaf regarding the protection of your company, the privacy of your patients, and the profitability for your shareholders.