Particularly for smaller hospitals and medical groups, hiring a full-time chief information security officer can be a stretch of the budget and resources. But patient data must still be protected because smaller organizations face many of the same risks larger systems do.
So cybersecurity responsibility often falls to the CIO, the IT director, or, even to a certain extent, the hospital's EHR vendor, none of which are traditionally aligned with a cyber role.
That reality is giving rise to two alternatives: tapping the expertise of a virtual CISO or outsourcing cybersecurity to a managed provider.
Baseline: Best effort
For organizations lacking cybersecurity resources, it can come down to "best effort security management," said Fernando Martinez, who has been a CISO, but for the last 25 years has primarily served as a chief information officer for large hospitals. He is the chief digital officer for the Texas Hospital Association and president and CEO of the Texas Hospital Association Foundation.
"What I've seen in smaller organizations is, you have a couple of people," Martinez said. "They may know a lot about it, but analysis and response becomes a best effort in following up a security ticket or an alert and dealing with firefighting in order of severity."
The big risk? Every vulnerability or weakness that isn't at the top of the severity list basically leaves data open to threats.
Managed cybersecurity service contract considerations
Hospitals can bundle a scope of responsibilities into a managed contract. The company manages the network, alerts and health tickets. It can do vulnerability scans and take on the day-to-day infosec responsibilities.
Some security services providers have evolved into security operation centers serving multiple customers. Hiring a company to conduct real time network monitoring is more expensive, Martinez said. Risk tolerance dictates how much security service they buy.
To ensure data centers have controls certified, contracts need to include these agreements, attest to federal programs, perform annual risk assessments, said Chuck Christian, vice president of technology and engagement for the Indiana Health Information Exchange.
"There's a lot to keep up with," Christian said. "There are certifications, inherent overhead cost, training and education."
Martinez added that often local people have enough expertise to succeed: "You don't necessarily have to hire a big-five consulting firm."
Virtual CISO considerations
In a shared CISO situation, one security consultant can have four or five clients. A consultant may be on retainer, for example, ready when they are needed, said Lee Kim, HIMSS director of privacy and security.
Hiring a virtual CISO (vCISO) is increasingly becoming a viable alternative to bringing on a full-time executive, according to Mac McMillan, CynergisTek CEO and president.
Why? Because most organizations providing vCISO support will supply an individual who not only is experienced and has the right certifications, but is more than likely managing multiple organizations simultaneously. As such, they bring a wealth of knowledge and peer experience that organic CISOs are hard-pressed to match.
Drawbacks include that it can them take longer to get up to speed on the nuances of a particular organization and, because they are managing multiple clients, may not be immediately available to everyone in the case of an emergent issue.
vCISOs work in every environment from a small ambulatory setting, to a large health system. They can fill many different roles from full- on CISO to CISO advisor, to mentor to an organizational staff CISO reporting to a more senior CISO.
Conduct a risk analysis first
A risk analysis is always the first step, no matter the option a healthcare organization pursues or, even better, prior to making a decision.
That means understanding what goes into the process, as "very few do a correct risk analysis," Martinez said.
A risk analysis is not the same as a gap or technical analysis, as mandated by HIPAA or the Office of Civil Rights.
Hospitals tend to implement security solutions based on what they see as gaps in technical response. In fact, most are in a hurry to implement security solutions, Martinez said, and advised against letting that approach create a false sense of security.
Instead, a true risk analysis starts with doing a complete inventory of where data is stored and where data assets are located. Then the risk should be stratified as to likelihood of an incident happening. After that, what's needed is a recurring and active, closed loop process that maintains it, Martinez said.
A comprehensive risk analysis can be done in-house, or an outside expert can be brought in.
"That's more management discipline than investment in technology," Martinez said.
David Finn, executive vice president of strategic innovation at CynergisTek, agreed that it's better to understand the problem and figure out the best way to fix it than to simply go shopping for a new IT tool.
"I firmly believe that the biggest weakness our hospitals have is that they don't know what they don't know," Martinez said.
Cloud gaining traction for security
While hospitals have long been concerned about putting sensitive protected health information and medical data in the cloud, more and more are beginning to understand that big cloud vendors can frequently secure data better than hospitals can.
Yes, there are risks and business associate agreements to be ironed out, but cloud providers also hire top security talent and have massive resources to protect data. No strategic conversation about hiring a virtual CISO or outsourcing security to a third-party is complete without understanding what's happening in the cloud and what security services are coming in the near future.
"We are seeing some very impressive tools for cloud-security and even cloud-based security for on-premise systems. As we move more to the cloud protecting data our users' identities becomes more critical," Finn said. "Look for more solutions related to data loss prevention in the cloud, Cloud Access Security Brokers, email and even anti-malware."
"More importantly, look for these tools to communicate with each and share information that enhances security for everyone," he added.
What hospitals ultimately decide will depend on the size of the organization, budget and internal expertise -- because risk in general is something that cannot be managed to zero.