August 18, 2021
Three Components to Build a Strong Cybersecurity Strategy for Rural Hospitals
There is a concerning and increasing threat for rural hospitals in the form of cyber criminals that are likely making plans to execute cyberattacks. Read below to learn three ways rural hospitals can prepare for the long term to fight.
First, I understand that you need to address what’s in front of you right now but remember to put plans in place to address what might be in front of you very soon. However, resources are often tight, budgets for cybersecurity are small, and even finding cybersecurity talent can be an issue, especially for rural hospitals.
I will break down three areas of focus to establish a long-term cybersecurity plan that includes establishing an ROI to justify the right cybersecurity investments, creating a three-year cybersecurity roadmap, and using metrics to measure success.
Establishing ROI to Justify the Right Cybersecurity Investments
The focus of this piece is on rural hospitals, but these strategies can apply to hospitals of any size. I’ve found that hospitals have many questions when it comes to justifying spending money on cybersecurity, which often leads to indecision.
Examples of questions that rural hospitals struggle with are:
- How do I know what security technology will best protect us?
- How much cybersecurity is “enough?”
- Is more actually better when it comes to the number of cybersecurity solutions?
Other struggles rural hospitals face can be internal, like:
- Are all your organization’s decision-makers on the same page regarding what cybersecurity tools to invest in?
- Technical understanding of cybersecurity issues can be different between departments, and cybersecurity priorities may vary depending on roles.
Typically, I find that most current cybersecurity priorities and investments are primarily based on achieving a capability, such as implementing tools to avoid an outcome like security incidents.
Moving forward, I suggest to our clients that their cybersecurity priorities and investment be based on achieving a set of outcomes that are consistent, adequate, reasonable, and effective (CARE).
Here is the CARE model as defined by Gartner, with questions you can ask yourself in each of the CARE areas.
Achieve a Set of Outcomes by Answering These Questions
With those standards in mind, there are two questions you can ask to determine your investment strategy:
- What is the specific outcome we are trying to achieve?
- Will this help me create a defensible capability?
Our experience shows that if you subscribe to these standards, you can move your cybersecurity strategy to achieve a set of outcomes instead of a capability.
Creating a Three-Year Cybersecurity Roadmap
Our hospital clients often tell us that their cybersecurity strategies start with meeting regulations (HIPAA and NIST 800-53). I agree that you need to ensure you’re meeting these guidelines/regulations, but to truly thwart a cyberattack, you need to dig a little deeper.
The key is understanding the top areas of vulnerability and mapping out what it will take to close those gaps. You can then set levels of priorities and a plan over three-years to get where you ultimately want to be.
We use a Cybersecurity Capability Maturity Model to map out areas of focus for our clients to quickly see their problem areas.
Develop Metrics to Track Success
The last area of focus I want to share is around developing cybersecurity metrics. Once you’ve understood your gaps and set your priorities, you are ready to track progress toward the achievements that you’ve set out in your roadmap.
Here are four key steps to measure your success.
Step I – Determine Your Audience
- Are the metrics for technical and non-technical people?
- What is the purpose of the metrics?
Step II – Determine Success
- What is the story you are trying to tell?
- What is the baseline or victory?
Step III – Determine Measurements
- What do you actually need to track? Start with less; you can always add more later.
Step IV – Determine the Sources
- What data will you need?
- If you don’t have it, is that a weakness or gap?
No matter where your hospital is in its cybersecurity journey, the fact that hackers are always evolving and creating new attack tactics means that you need to be diligent and always evaluating and adjusting your strategy. I hope some of these approaches give you a place to start. If you need help determining your cybersecurity maturity or strategy, please reach out at email@example.com.
John Gomez is the chief security and engineering officer at CloudWave.