Cybersecurity and Privacy

Practical Guidance for Adopting a Cybersecurity Framework

A clinic keeping patient data safe with a cybersecurity framework

Ransomware, phishing emails, trojans. These are some of the threats responsible for countless breaches and compromised personal health records making the news. But information security professionals should not lose sight of less talked about threats that can be as harmful and sometimes more common in healthcare organizations.

Beazley’s Breach Insights found that healthcare was the top sector targeted by cybercriminals, with 31% of breaches caused by hacking or malware incidents. On the other hand, 31% of breaches were due to accidental disclosure, 17% to insider activity, 8% to physical loss and 6% to mishandled portable devices. Altogether, over 60% of healthcare breaches were the result of human error, neglect, or misconduct by members of the organization.

Protection against malicious external actors must undoubtedly be a top priority, but a comprehensive cybersecurity program should also address many other areas.

A year ago, my organization decided that a universal cybersecurity framework was the best way to develop such a program. Following the guidance and best practices developed by experts across multiple disciplines, industries, the government and academia provided us with the breadth and depth in cybersecurity that we could neither afford nor develop on our own—read about our experience building the case for a cybersecurity framework in my previous post.

What became evident from the beginning was that the majority of organizations adopting a framework were large health systems, hospitals, or academic centers with hundreds or thousands of employees. For a young and small private practice, it seemed like an ambitious enterprise.

Cynergistek’s Annual Report found that, among physicians groups like ours, 36% complied with one of the leading cybersecurity frameworks. Additionally, 27% of these were physicians groups with annual revenue under $50M and 28% had 500 or fewer employees. These numbers confirmed that we were among the few small physicians groups pursuing the adoption of a cybersecurity framework.

However, Cynergistek found that there has recently been an increase in framework conformance for organizations with 500 or fewer employees. This increase could be an indicator that small organizations are making strides toward addressing cybersecurity needs.

I heartily agree because this is where my organization finds itself today. Over the last nine months, we have been working toward a stronger cybersecurity posture. Along the way, we have encountered challenges and overcome obstacles. We have learned lessons that may be helpful or, at the very least, anecdotal to those taking up the challenge.

Develop a Roadmap

As eager as we were to start the adoption process, we decided to invest time researching and understanding our framework in depth. We found a fair number of documents, webinars, tools and spreadsheets that clarified the framework’s complexities, some of which we are using today to document and measure progress. This first step was essential in developing a roadmap to keep our team focused through the long run and the obstacles we were bound to encounter.

The modularity and flexibility of the framework we chose permitted us to select the framework controls to implement in each phase, so we divided the implementation into multiple short phases. Each phase was allotted no more than a few months so we could quickly measure progress and use it as feedback as we moved to the next phase. We selected framework controls for each phase that would strike a balance between business priorities and making fast and significant impact.

Identify Business Priorities

Conducting a full business risk assessment following our framework’s guidance would have been ideal, but it also would have taken a considerable amount of time and resources. Instead, we settled on a few key priorities:

  • Prioritizing systems critical for day-to-day operation
  • Estimating an acceptable downtime and recovery for each
  • Agreeing on acceptable data loss in a worst-case scenario
  • Improving regulatory compliance throughout the process

Make an Impact

The Pareto Principle, commonly known as the 80/20 Rule, is useful for many aspects of our daily lives, from business economics to personal relationships. Cybersecurity is no exception.

In general, the principle states that in many cases, roughly 80% of results are obtained with only 20% of the full effort.

Applied to cybersecurity, we would aim to address the majority of risks by first implementing the most vital controls. A quick internet search yields several lists of the top critical controls developed by a number of cybersecurity expert groups.

Leverage Resources

Before we started working on our framework, we had controls in place that, although adequate, were lacking fully documented policies, procedures and auditing processes. In some cases, manually developing the documentation was necessary. In others, we discovered that some of our systems had built-in reporting capability to produce documentation and audit logs to complement these framework controls. Enabling these features required minimal effort, allowing us to quickly adopt them into the framework.

An invaluable resource we have leveraged for advanced technical controls has been software from the open-source community. The nature of open source generally makes its implementation technically more challenging and difficult than commercial products. In the long run, though, stable and mature open source systems have proven extremely cost-effective. We have a number of open-source controls in place to address various requirements such as asset inventory, vulnerability scanning, incident tracking, penetration testing and system monitoring.

It is often said that cybersecurity is a team sport, but as cliché as it may sound, there is much truth to it. Bring your entire team on board by sharing your plans and goals. Reach out beyond your group and your organization to colleagues and expert groups. They may have solved a problem you haven’t been able to figure out.

Be Flexible

The foundation of information technology is essentially a binary system: a bit is either on or off, a calculation is either right or wrong. Enhancing a cybersecurity program is more nuanced and requires greater flexibility.

Even though a policy may not address all aspects of a particular issue, it may be good enough to achieve the desired outcome. An inventory may not include 100% of all devices, but it may be good enough to start defining baseline configurations or a patch management policy.

When adopting a framework, we had to keep this flexibility in mind. Working toward the best implementation of any single control was unrealistic and counterproductive. It slowed down the entire process, stifling progress and the adoption of other controls.

Controls may have a limited lifespan and become obsolete, whether a policy, a procedure or a technical safeguard. Periodically, controls will have to be revisited, revised, readjusted or replaced. Changes in technology, staffing, cyberthreats, business and the environment will force us to improve controls with each new iteration.

Fortunately, being flexible was a lesson learned early in the process. Adopting a cybersecurity framework seemed at first like a daunting and almost impossible task. As with any large project, a practical approach is to break it into groups of smaller, measurable and precise tasks with realistic deadlines. Arrange these in the correct order and you have the beginnings of a strategic roadmap to reach your goal.

The views and opinions expressed in this blog or by commenters are those of the author and do not necessarily reflect the official policy or position of HIMSS or its affiliates.

HIMSS Healthcare Cybersecurity Survey

Gain insights into the healthcare cybersecurity landscape based on feedback from industry professionals in our cybersecurity survey report.

Take a Look