Security measures must work for security teams, with measured and assessed controls. Efficacy tells us whether security measures are sufficient and working as intended. For an organization to fully optimize the security program, it must address efficiency: whether it works successfully for the budget, people, processes, technology involved, as well as address people, processes, and technology.
However, efficacy and efficiency are sometimes competing efforts.
One organization may implement a log correlation tool, while another may manually review logs. Large providers may build an internal threat analysis team, but a smaller or more remote provider may subscribe to a feed. For any given security outcome, a near-infinite array of choices exists for how to achieve it. Guidance on how to optimize these aspects of security operations has been much less available than guidance about achieving specific security outcomes.
Prioritization
On the surface, the prioritization of security measures to implement seems like a direct risk management exercise. Simply implement the controls that provide the highest risk reduction for the least amount of money. However, the increasing array of Federal, state, and even foreign regulatory mandates, as well as frameworks and guidance relevant to any given entity complicates prioritization.
In the best cases, specific controls within each of these may overlap and by addressing one, multiple requirements from the broader list will be addressed. Unfortunately, this rarely occurs because each of these guidance documents has its own context, and consequently, its own expectations. The new NIST guidance around the Govern function will change the process and documentation requirements for the prioritization of cybersecurity risks and remediation.
Security Operations
Security operations are challenging for healthcare due a host of reasons that include inadequate funding and personnel and skill set shortages. These challenges add more pressure on IT and security departments.
As a practical matter, many healthcare security teams are underfunded, and the related staffing gaps add to these pressures. The lack of personnel available to operate a tool or other technology can take value from invested funds, while the lack of budget to acquire technology can lead to inefficiencies in staff time. Therefore, processes that are heavily reliant on human expertise are less resilient: Staff attrition can result in suboptimal performance or otherwise prove detrimental to existing processes.
Underfunding and staffing challenges are among the chief challenges facing security operations. Meanwhile, organizational concerns may present as challenges for SecOps to overcome, just like systems availability or legacy technology.
For example, a hospital may need to decide how to effectively use resources. One priority may be to secure existing assets, but another opportunity may be to capitalize on areas that have more business-visible benefits. Security investments are seldom as gripping to CEOs or boards, as are opportunities that directly increase revenue.
Even when internal, conflicting challenges are conquered, the external threat landscape must always be considered. Attackers and defenders are locked in an ever-advancing war of nerves. The threat landscape constantly shifts as new attack methods are developed. The security-related challenges are asymmetrical because defenders must mitigate every attack vector, but attackers only need one weakness to gain a foothold.
By working toward cyber resilience and away from security-based decision making, healthcare network defenders can begin to sustain risk management rather than attempting the impossible task of foolproof security. Risk reduction efforts supported by effective governance are the only way to adequately fend off attackers and limit the impact in the event of the inevitable incident. These actions should be considered mission critical policies to keep our patient community safe.
For more information about Cyber Resilient Digital Health Practices, read the white paper “Cyber Resilient Digital Health: It’s Not Just About Security Anymore. How Do You Sustain the Management of Risk?” by David Finn, First Health Advisory’s EVP of Governance, Risk, and Compliance!