In the first conference recap, we briefly looked at how to get started with HITRUST. We also provided a peek into third-party risk assurance and touched on threat intelligence and information sharing. In this recap, we look at the value of collaboration, establishing trust in the cloud, and understanding the attributes of the bad actors that target the healthcare industry with ransomware.
CIO and CISO Collaboration
Hospitals rely on a ton of computer gear and networks to provide the best care possible; devices for imaging, monitoring, dispensing and data-entry all connect via wired and wireless networks. Deploying, maintaining and securing every aspect of this ecosystem requires a partnership between the information technology and information security teams—starting with the two management teams via collaboration between the CIO and CISO.
The relationship certainly drives down into the organization to meet the goals defined by the hospital:
- Patient care
- Patient safety
- Patient satisfaction
- Physician satisfaction
- Regulatory compliance
- Hospital reputation
However, a successful partnership between these two groups isn’t limited to their respective staff; collaboration also works by moving up the stack to the executive management team and the board of directors. Successful organizations can demonstrate to the board that they are following the HITRUST model. This approach is working for many across the industry as they leverage their partnerships to secure a portion of their overall IT budget for their cybersecurity program.
As pointed out by one of the audience members during a session covering this topic: “The risk decision should be the responsibility of the business—not the CISO nor CIO. The CISO should be tasked with presenting the risk in a fashion that enables the business to make the best decision possible.”
Maintaining Third-Party Trust When Moving to the Cloud
HITRUST held its Cloud Summit during the annual conference. One of the key points made was that cloud service providers (CSPs) need to take risk management and compliance seriously—and the covered entities that use their services need to do more than “trust but verify.” Instead, they should “verify, verify, verify.” Ultimately, it is the cloud service provider’s responsibility to understand what it means to be a secure covered entity (CE) versus just being a run-of-the-mill CE. Healthcare organizations should be able to verify that their CSP of choice has compliance built-in to their platform and services.
CSPs should also demonstrate that they develop for a secure, compliant, private environment that considers that care may be given locally and regionally. CSPs also need to demonstrate their technologies and services (and the data that resides within) will be used across state lines and perhaps even country borders: compliance needs to apply across the board.
Attributes of Bad Actors – A Fast Run Toward Ransomware Attacks
During the Evolution of Ransomware session by Armor’s Jeff Schilling, Jeff suggested that organizations need to tune their security programs and controls to address three types of threat groups:
Understanding the tactics and procedures that these different types of threat actors use can give information security and risk management teams a better chance of identifying crime and fraud. The increase in ransomware can be attributed to the fact that there is a lot of risk for threat actors when they steal data and attempt to sell it on the black market, which also happens to be the most common reason healthcare organizations are targeted with ransomware.
Therefore, cybercriminals are moving to ransomware attacks and away from the more traditional “steal the credit card or health information” tactic. That’s because the time-to-value for these types of attacks is shrinking.
Given this understanding, the following are a few of the many tips shared by Schilling during his talk:
- Continue to use anti-virus; it does a pretty good job of keeping up with most ransomware.
- Devise a backup-and-restore strategy that can survive a ransomware attack.
- Pay close attention to ransomware vulnerabilities; this is very good advice given the recent WannaCry outbreak that compromised a radiology system—the first time ransomware hit medical devices in U.S. hospitals.
More HITRUST Recaps Coming Soon
These two recaps provide a simple overview for the conference. Stay tuned to the HITRUST blog for more detailed recaps on specific sessions and topics.