Most healthcare executives and board members are quite aware of the importance of cybersecurity, but many may feel poorly prepared when it comes to managing risks because of the numerous technical and non-technical aspects of this complex issue.

To help executives better prepare their organizations for modern cybersecurity threats, Palo Alto Networks, a global cybersecurity vendor, and PwC, a consulting firm giant, have released “Security Framework: A Guide for Business Leaders.” The goal is to provide executives with a practical framework for addressing the people, process and technology elements of the cybersecurity challenge, the two firms said.

“Although information technology has created a new digital age, transforming every aspect of modern life and bringing with it greatly enhanced productivity gains and standards of living, its underlying infrastructure is inherently vulnerable to exploitation,” the report notes. “This leaves society open to fundamental cybersecurity risks. Businesses globally constantly face an onslaught of malicious activity, ranging from theft of precious intellectual property and customer records to destruction of valuable proprietary information.”

Sign up for the Healthcare IT News Privacy & Security Update newsletter. 

To manage the risk of cyberattacks in an appropriate and effective manner and prevent successful attacks, Palo Alto Networks and PwC said businesses, including healthcare organizations, must structure their cybersecurity programs to:

• Identify organization-specific critical assets, priorities and related governance structures.
• Monitor and analyze all traffic to establish visibility of all users, applications and content traversing corporate networks, clouds and end-points to define and refine organizational information security policies.
• Protect from attack by enforcing policy to reduce organizational attack surface and prevent known and unknown threats.
• Detect and respond to the inevitable successful attack in a manner that incorporates mitigations and protection mechanisms to prevent similar attacks in the future.

“Given the technological and economic dynamics that greatly favor attackers, defenders must adopt a new approach to counter malicious actors and to prevent successful attacks – the loss of the confidentiality, integrity or availability of corporate assets,” the report said. “This fundamental shift starts with the identification of the firm’s most critical assets and a thorough risk assessment of the potential threats and vulnerabilities impacting those critical assets. Once this risk analysis is complete, firms can focus on automating the manual activities of detection and remediation to an adaptive, repeatable process that prevents breaches and achieves meaningful security that changes the economics of cyberattacks that target the firm’s most critical assets.”

The approach created by Palo Alto Networks and PwC draws on the NIST Cybersecurity Framework; however, the sequencing of some activities is intentionally different, the two firms said.

[Special Report: Ransomware to get worse, hackers hit whales, IoT opens new holes]

“A fundamental shortcoming with many current approaches to managing cybersecurity risk that this framework seeks to remedy is a lack of full visibility of users, applications and content traversing corporate networks, cloud and end-points,” the report said. “This by definition limits the effectiveness of protection efforts, as an organization cannot protect against what it does not observe. With this full visibility, organizations will be empowered to implement security policies oriented to prevent attacks firstly, thereby enhancing organizational effectiveness at detecting and responding to a more limited set of attacks that may still be successful.”

For more information on the security framework and to download a copy of the document, click here.

Twitter: @SiwickiHealthIT
Email the writer: bill.siwicki@himssmedia.com

Like Healthcare IT News on Facebook and LinkedIn