Security Strategy, Plan, Budget, Training

Rethinking the approach to health care’s reliance on IT as security leaders

A hospital worker pushes a cart past the patient information center at the Indiana Heart Hospital April 1, 2003, in Indianapolis. (Photo by Mike Simons/Getty Images)

A chief information security officer bears the responsibility of driving a culture of security across the enterprise from gaining board and financial support for key initiatives, to implementing tech and processes that will keep the network safe or online after a cyberattack.

But what happens when there’s either no one leading the charge, or the security leader is actually an IT employee without a cyber background?

All sectors are struggling to attract and retain cybersecurity talent. In health care, the situation is more dire. Outside of massive health systems, frequently equipped with a CISO and expansive teams to tackle the vast number of security challenges, the majority of small- to medium-sized providers don’t have that luxury.

In 2017, the Department of Health and Human Services Health Care Industry Cybersecurity Task Force report confirmed an alarming statistic that remains the case four years later: three out of four hospitals don’t have a designated security person and have been getting creative with security needs.

A year later, Ponemon Institute research confirmed that the vast majority of providers were struggling to recruit security staff, and another 49% didn’t have a CISO. 

“We don't have enough professionals, it's simple as that. We have too many groups that are willing to pay the big bucks that take the people away from some of the groups that need them,”  Ryan Chapman, a certified instructor candidate at SANS Institute.

From Chapman’s experience, in health care, major hospitals have a decent number of security employees that are properly equipped with every tool needed to get the job done. But there are others that can’t afford those folks. The Health Insurance Portability and Accountability Act requires covered entities and business associates to designate an employee as a privacy and security leader. Who then is leading the charge?

The answer varies by provider: some are leveraging virtual CISOs or managed security service providers (MSSPs), while others hand the task to the IT team or another workforce member. In other sectors, this practice would likely be frowned upon, but in health care it’s truly a necessity for some. 

Frankly, smaller providers don’t have the funds to retain talent, and those that do, may live in remote locations that make it challenging to recruit talent. Security stakeholders may be quick to judge the practice, but necessity begets ingenuity. And with the financial impact of the COVID-19 pandemic on most providers, the practice is destined to continue into the near future.

Instead of shaming the practice, SC Media spoke with Chapman, to detail the risks and drawbacks posed by the practice, as well as the best way to approach equipping non-security folks or third-party vendors as cybersecurity leaders in health care.

IT does not equal a security-skillset

One of the biggest challenges with IT in terms of health care is to take the IT leader and dub them as security leader, said Chapman. But “it absolutely does not work that way. You have to be specially trained, or at least have a background in security.”

An IT leader may have more than 10 years in the field, but not know the difference between terminologies and the importance of basic security analysis, explained Chapman. It’s not meant as a disparaging remark, but rather, an attempt to shine a light on the need to better equip non-security employees to successfully tackle security needs when called upon.

“You can’t just take someone who typically runs email servers or who has managed the entire network and expect them to not get too far in the weeds,” he added. The terms, tools, and threats are all different. And in Chapman’s experience, some IT folk don’t have a grasp on some of these basics.

There’s a serious knowledge gap faced by IT leaders due to a lack of experience, explained Chapman. So while an IT leader or outside vendor can typically apply the right tools and review suspected alerts, there’s often a lack of understanding as to why threats get in and just how long the actor was inside the network.

In essence, they may be able to understand the basics, but still are missing the analysis component: a crucial part of any security program.

But bringing in an outside consultant, vCISO, or MSSP also poses key challenges — regardless of the service or function they’re tasked to address. Chapman explained that one of the biggest hurdles is the general unfamiliarity with how the entity is governed or monitored.

“Defining, understanding, and maintaining baselines within an organization requires intimate familiarity,” said Chapman. “When a third party comes into the picture, providers must not simply bring them in, provide access, and back away. Doing so could lead to a lack of understanding.” 

“False positives and false negatives alike could become abundant should the third party not become familiar with the environment: The people, processes, and tools,” he added.

Better equipping the on-hand leaders

It’s easy from an outside perspective and without being part of spending decisions to say that “at the very least 10% of the IT budget should be allocated to security,” Chapman stressed. Not only that, but allocating the budget is just part of the problem. There’s also employee and specialist shortages in health care that make it difficult to fill these massive security and staffing gaps.

As noted, some providers just don’t have another option than to look outside the organization for security assistance or to task the IT leader with security functions. But to avoid some of these potential downfalls, providers need to ensure they’re making the best choices for the enterprise.

To better equip IT with security knowledge, organizations should at least send the leader to receive training and certification to have the tools needed for the task and to “train them so they have a security mentality, know how to use the tools,” and other needed elements.

“Start small: start with smaller certifications and move on,” said Chapman. “For example, take a SANS course, if [the IT leader] has never done security or has only very little experience. There are a lot of starter courses that can act as a starter for those who are IT-focused. And I would not hesitate to recommend people look into the online training programs, like PluralSight.”

But as there are an abundance of offerings, the challenge organizations may find is finding the right place for IT to focus. Chapman stressed the need for seeking foundational courses, such as an intro into digital forensics.

Chapman, of course, recommends sending employees or potential security leaders to SANS Institute for cybersecurity training. But providers can also rely on freely available resources that can better equip the IT team to, at the very least, begin finding and eliminating some of the key network vulnerabilities.

The HHS voluntary cybersecurity resource is a vital guide for small- to medium-sized providers, while the Centers for Internet Security also compiled a top 20 list of needed security controls.

By reviewing the controls, the IT leader designated as the security leader can determine where to prioritize security on the network, beginning with a complete inventory and moving into asset management, he explained.

The Healthcare and Public Health Sector Coordinating Council previously released guidance specific to equipping health delivery organizations with effective security leaders, which can also provide organizations with the best way to approach these processes.

When seeking outside assistance, such as contracting with a third-party security oversight vendor, Chapman stressed that the vendor must be “intimately familiar” with the health care environment.

For example, many vCISOs provide services to organizations on a global scale, but not all are familiar with the complexity, challenges, and potential compliance issues specific to health care, such as how CIS controls map back to HIPAA.

Therefore, when searching for the best vendor for their environment, providers will need to ensure the contract includes requirements for strong communication processes and business acumen training. 

The communication piece is absolutely critical, Chapman stressed. Some MSSPs don’t communicate with their clients because they’re taking on too many organizations and don’t have the time to do it. And sometimes, when that communication occurs, the information provided to the organization is minimal and, again, lacking the critical analysis.

Too many times, Chapman has seen entities being told that “everything is fine,” or “we have our eyes on you,” in a way that feels more like placation than actionable intelligence. As a result, entities need to list communication requirements during the contracting process, which should include regularly scheduled meetings, once a month at the bare minimum.

The communication should also include required follow-ups in emergency situations or when a threat occurs. A hospital needs a direct line of communication to their MSSP or other security vendor

Further, Chapman noted that the entity will also need to thoroughly vet the vendor’s understanding of security specific to the health care space. Research has shown that simply asking local hospitals, reading reviews, and verifying familiarity with HIPAA can support providers with assessing the vendor’s experience in the sector.

“While many providers may not know what to ask in terms of security-oriented questions, this is where frameworks such as NIST, CIS, and others become important,” explained Chapman. “The responses to how the third party's processes map to such frameworks can be difficult to decipher.”

“In such cases, the speed with which responses are provided and the amount of pre-established documentation available detailing such correlations can be obvious signs as to who is and is not ready to take on the position,” he continued.

The goal is to make sure the vendor understands what’s expected in terms of people, processes, and tools, which the provider can verify by asking health care-specific questions on how they approach security and manage risk.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.