Three ways for healthcare CISOs to modernize security

In an ever-changing landscape of cyberthreats, here are some ways CISOs can bring teams together and establish a culture of security.
08:52 AM

Photo: sturti/Getty Images

By Joseph Davis, Chief Security Advisor, Microsoft

When I start a new relationship with a CISO, I try to impress upon them the importance of their role, whether that role is at a hospital, payment processor, research organization or a pharmaceutical manufacturer.

Too often, I meet with cybersecurity teams that are overwhelmed by the complexity of the task before them. Many are dealing with a mix of legacy equipment that hasn’t been updated in years, prompting fears that their organization could become the next ransomware victim or that an incident that starts as digital winds up becoming physical, causing harm to a patient.

They all know that lives are on the line in healthcare and they play an important and serious role in keeping the organization operational, profitable and safe. It’s critical to step back and see the big picture: how they can modernize their organizations and bring them into the modern world of hybrid work based on Zero Trust and multi-cloud environments.

Here are four ways security leaders can take a proactive mindset:

Embrace the role of diplomat

CISOs have to bring people from different departments together. Start by building bridges between the IT staff and the security team. It’s also important to bring in public safety, physical security, human resources and the individuals in management who control budgets. Explain to them that cyberattacks overlap, so security has to become everybody’s business – it’s not just confined to the CISO and the security team.

Impress upon the IT and networking staff that it’s better for everyone if the organization moves away from legacy infrastructure and embraces tools that can provide visibility and enhanced communications across the enterprise. Many IT and networking teams have spent years working in their specific domains and have invested time, money and a great deal of effort to learn specific products. Get them excited to learn new technologies that can add convenience to their work lives while improving visibility across the organization, putting the team in a stronger position to identify, respond to and prevent future cyber incidents.

Manage risk appropriately

Healthcare professionals are always assessing risk. Before an important surgery, the surgeon will conduct an analysis and tell the patient that, under certain circumstances, they have a 90% chance of a good outcome. The patient then has to weigh the risks and decide if they can move forward with that assessment.

CISOs have to run the same kind of risk calculations on security technologies. They have to ask themselves: What’s the risk of compromise and lateral movement across the network if we keep running our legacy equipment? What’s the likely result of a system compromise? Another possible question might be: What’s the risk of having an outdated electronic medical records (EMR) system versus modernizing and moving the EMR system to the cloud? As much of a risk as it is to move an EMR to the cloud, does it serve the organization to keep running an EMR that’s reaching its end of life?

In healthcare, we find a lot of “analysis paralysis” where organizations continue to study new technologies and never act because they are concerned about downtime and errors during the inevitable learning process. What I tell CISOs is to assess the risk.

Take multi-factor authentication (MFA), for example. There are CISOs who tell me that it’s theoretically possible for MFA to be hacked. While that’s true, I tell them that Microsoft has found that MFA blocks nearly 99% of all account takeover attempts. Plus, it takes a sophisticated threat actor to circumvent MFA. Run a risk analysis. I think most people would agree that 99% is an acceptable number.

A CISO’s job is to run a risk analysis and decide if maintaining the status quo makes sense versus moving the organization forward and innovating with new technologies that will make the staff more productive and secure in the long run.

Take advantage of the shift to the hybrid work model

The pandemic has offered a golden opportunity for technology organizations to move the needle forward on digital transformation projects. Hospitals were inundated with patients and found they couldn’t support the volume of patients with their legacy applications. Medical practices had to figure out ways to accelerate telehealth, and research organizations and medical distributors had to learn how to operate in a new work-from-home setting.

CISOs at healthcare organizations need to take advantage of these shifts and show top management that it’s imperative to invest and modernize. Explain the benefits of moving to the cloud, including cost savings from not running as many server farms, development flexibility and the overall mobility for the staff in the work-from-home model. Cloud technologies offer enhanced security because all their applications are automatically updated regularly and Microsoft Azure for healthcare offers a “single version of the truth” where all the technology departments now have visibility into network traffic. It also offers a platform for enhanced patient engagement where many live today – on their mobile devices.

Adopt authentication technologies that will get staff buy-in

When CISOs are looking to roll out new technologies, I tell them to first focus on identity and authentication. Windows Hello for Business is a good place to start. It replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that Microsoft ties to a device using a biometric or PIN. Windows Hello will let users authenticate to a Microsoft account, an Active Directory account, and a Microsoft Azure Active Directory (Azure AD) account.

CISOs can also show how single sign-on (SSO) in Azure Active Directory can save users the hassle of having to log in every time they need an application. SSO lets users sign in and authenticate using one set of credentials to multiple independent software systems. With SSO, users can access all needed applications without having to authenticate using different credentials. Thus, SSO reduces the need for multiple passwords, significantly reducing user errors and misconfigurations by network administrators.

Empower patients. Improve healthcare delivery. Deliver security.

CISOs must take a leadership role in bringing all the disparate forces together at their organizations. Everyone has seen the news about ransomware and other cyberattacks – and nobody wants to be on TV explaining financial losses, or worse, an injury or death because of a cyberattack. When CISOs have the tools and intelligence to see the big picture, I believe they will see what a great opportunity lies before them to transform their organizations. We stand ready to partner closely with CISOs to make their healthcare organizations more productive, engaging and secure.

Access more information from this sponsor here: https://aka.ms/SecureHealth

By Microsoft Security

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.