Cyber Resilient Digital Health: Risk Management & Governance
Healthcare struggles with risk management, more than almost any other sector. Most are not performing risk management, do it poorly, or think they’re doing it when they’re not, even for covered entities and business associates with a regulatory mandate to do so.
Healthcare and healthcare-related entities in the United States have had a regulatory requirement to undertake risk management for the past 20 years. But one merely needs to look at the record of HIPAA compliance to see this requirement has not been met.
For some entities, the challenge is the disconnect between the risk an enterprise actually faces and the specific countermeasures and practices of regulatory compliance. In a situation where an enterprise must decide between implementing one control to address a regulatory or customer requirement, or another control with broader risk reduction for them, compliance typically wins.
While compliance-driven efforts ensure that a minimum baseline is achieved, these actions sometimes do so without accounting for the specific risk the enterprise might encounter. Under HIPAA, every provider must meet the same level of compliance, which means the minimum baseline may be sufficient for risk mitigation and compliance for certain organizations, but for others, it will not.
For example, a large academic medical center in a city with over 1 million people will have a much heavier lift than a critical access hospital in a community with 2,700 people in it. Both entities will also have a vastly different approach to cyber resiliency. Risk reduction could be a better use of enterprise resources overall, however, meeting the requirements of a regulation is often not an option.
With the complexity and evolving definition of healthcare enterprise, risk management now requires covered entities to understand functions that are difficult to measure or moderate, such as the likelihood of a situation occurring (Change Healthcare); the impact if a situation does occur (a nearby hospital being ransomed); and the relative difference in impact before and after a countermeasure is implemented.
Each situation is supported by many independent variables and influenced by many “what-if” scenarios and includes numerous outliers and other unique factors. It’s not an exaggeration to say a healthcare enterprise could invest its entire security budget in risk management and still not be 100% correct.
Governance
In 2023, NIST rolled out version 2.0 of its Cyber Security Framework (CSF) to add a “Govern” function to its initial five core functions: Identify, Protect, Detect, Respond, and Recover. The addition of govern as a core standard reaffirms the importance of incorporating this approach to cybersecurity activities.
The Govern function covers the people, process, and technology elements, as well as the roles, responsibilities, policies, procedures, oversight, and technology for a broader, deeper, and more formalized approach to governance, which is not often seen in healthcare organizations.
Ordinary Care and Neglect
Most security practitioners say due care is vital, and many practitioners would argue it’s a moral and ethical imperative, as well. However, ensuring ordinary or due care has been a challenge for healthcare, particularly with conformity to normal business standards effectively demonstrated in other sectors.
To address cyber resiliency, enterprises must invest time, resources, and budget to ensure industry-accepted standards and frameworks, as well as legal and regulatory requirements are applied.
No one can argue security isn’t important, but we can’t seem to agree on just how to measure security:
- What’s applicable and sensible?
- What’s the best practice for our organization?
- What’s the standard of care?
Reasonable measures to address security can sometimes be hard to determine. Provider organizations are often secretive about what has and hasn’t worked for their network in terms of security controls, practices, and goals, which has left a shrouded cloud around the challenges and successes within healthcare. As a result, no one can leverage the experiences of other entities to inform and improve their own processes.
Hospitals may have rough plans of industry-standard practices based on guidance (HIPAA, NIST CSF, and Health Industry Cybersecurity Practices (HICP), but these standards vary by geography or audience, type of hospital, or care. Regulatory mandates provide guidance by defining a baseline, rather than a complete catalogue of industry policy, procedures, or processes.
Frankly, entities failing to perform “ordinary care” on a regular basis are neglecting their duty of care. This applies to those shutting down due to “technical debt,” i.e., running on old hardware and software that hasn’t been patched or updated in several years, or those training on policies rolled out 10 years ago.
As regulators make a play for baseline standards, it’s likely these inactions will all be viewed as neglect in the eyes of regulators, prosecutors, and the public in the future.
For more information about Cyber Resilient Digital Health Practices, read the white paper “Cyber Resilient Digital Health: It’s Not Just About Security Anymore. How Do You Sustain the Management of Risk?” by David Finn, First Health Advisory’s EVP of Governance, Risk, and Compliance!