Written by Glenn D. Stover, CISSP, HCISPP, Beebe Healthcare

I have worked in the IT and healthcare field now for several decades — to which I attribute the ever-growing number of grey hairs that I have as time has moved on. The healthcare industry has similarly aged, from the adoption of the first mainframes and personal computers to the now growing landscape of the Internet of Things (IoT), patient portals, and expectations of instantaneous data anywhere, anytime. Add in the, often, uncertain regulatory future, and that our health industry has similarly aged — although perhaps more gracefully than I.

It’s safe to say that Social Engineering has similarly grown, from the first poorly written and grammar-bereft spam emails to the new and highly aggressive malware and ransomware attacks. Security is a major component for highly reliable healthcare organizations, and I do not believe there is any question of the security risks to administration, operation, administration, finance, and ultimately to patient safety. Rather, the question becomes: How are you maturing and evolving with this threat?

Maturity

The HITRUST CSF approaches control maturity based on NIST’s PRISMA report, which ultimately drives two very simple concepts: controls being intuitive, and controls being measurable. The first three tiers for maturity establish:

1. Control requirements must be clearly understood at all levels;
2. Procedures must be in place to support the implementation; and,
3. Controls must be fully implemented and tested and operating as intended.

At a minimum, this expects that you have policies and procedures implemented that are easily understood, applied, and operational. Like many professionals, I have seen organizations adopt a “check the box” mentality when it came to policy development or procedural documentation. HIPAA was to blame, it was often excused, and that is why these things needed to be written down as policies or procedures. The minimum expectations were met, the ink dried, the paper filed away, and organizations went on with their day with no further concerns because they had their policy, so of course they were compliant …. And yet, a targeted phishing campaign against your organization will not care that you have a very official and clearly implemented policy against opening questionable emails.

Measuring and Managing

Growing beyond an organizational adoption of the bare minimums is where the HITRUST CSF’s fourth maturity level of ‘Measured’ and fifth maturity level of ‘Managed’ become crucial. You can’t effectively manage what you can’t measure. We live in the age of big data where metrics are often very easily and very cost-effectively captured.

With applying these five maturity levels through my social engineering prevention program, there exists an Acceptable Use Policy (AUP) that clearly defines expectations for phishing emails — both real and internal test emails, defined step-by-step procedures, and controls that are implemented and routinely tested. A wealth of data from our social engineering prevention program is measured, including successes, non-successes, frequency of events, as well as individual, departmental, and organizational effectiveness. All of this seamlessly flows into the management of corrective actions which ensure effective handling for any risks or identified weaknesses in the program.

A Framework Mentality

Although this only provides one such example, there is a clear benefit to applying the HITRUST CSF methodology as a business and operational mentality. As a result of tracking the five levels of maturity for our social engineering prevention program, we’ve made strategic decisions that have positively increased staff education, decreased organizational risk, and demonstrated financial ROIs. Despite the number of grey hairs, my adoption of HITRUST across multiple business lines shows sometimes you CAN teach an old dog new tricks.