Comprehensive digital asset risk management must be a top priority for every organization and entity providing healthcare services regardless of size. The steps described in this article achieve measurable results using active and passive asset discovery technologies in concert with First Health Advisory’s risk management program to materially drive up an organization’s security posture while simultaneously reducing an organization’s cybersecurity risk.
The framework of our digital asset risk management program defines a digital asset as any device, equipment, or component storing or interacting with digital data using public or private communications. We include network connected physical assets within this definition to ensure a holistic approach to our risk management program.
As many, if not all, of us understand there are significant challenges just taking the first step to completed discover, identify, and classify connected digital assets. Asset discovery, identification, and classification is an organizational mountain to climb and an ongoing, standard operating procedure to achieve as accurate an inventory as possible. Network connected assets appear on an enterprise network many times outside of a centralized process resulting in connected asset vulnerability debt without IT or Security department’s knowledge resulting in significant organizational risk. Creating a business mindset and awareness around asset identification and risk assessment aids the IT and Security department’s awareness and ability to address these risks more quickly.
Digital asset classification, or categorization, adds a very important component to our digital asset inventory data. We approach classification based on the clear criteria around business operations and how a digital asset, or group of digital assets, support business operations. Digital asset classification is strongly recommended to be performed by the department responsible for the digital asset. This approach most accurately prioritizes and defines the role departmental digital assets play in supporting business operations. First Health Advisory, as an example, collaborates with our customers to associate digital assets with a traffic light protocol (TLP) of red, yellow, and green. We classify, or categorize, red assets as critical, yellow is high, and green as low priority to the department’s support of business operations.
Finally, we step through the risk management process by identifying digital asset risk, assessing those risks for impact and likelihood, develop remediation and mitigation controls, create playbooks for events which rise to the level of an incident, and review risk incident response activities to continuously improve the program.