Cyber Risk Strategy: Healthcare

Enhancing security of PHI as well as increasing business continuity and focus for healthcare providers

Challenge

A healthcare organization had experienced a prior cyber intrusion and discovered that their existing risk mitigation strategy needed to be enhanced and maybe redefined. Otherwise, they would be ill-prepared to respond effectively to the next intrusion or data breach risking exposure of their PHI and other sensitive data. With the support of the board, the CEO engaged us to help

How We Helped

Working with the CEO and COO, we executed on the following:

  • Risk Reduction: non-ransomware intrusion detection and response time improved from days to hours

  • Cost Savings: 10% savings on IT and Cyber operational expenses

  • Service Quality: No quality measurements or focus to intentional NPS score of 40+

  • Completed a risk evaluation of critical business functions

  • Performed assessment and analysis of current information technology assets and security capabilities

  • Provided short and long term risk mitigation strategy recommendations

  • Executed and implemented strategy recommendations

Re-evaluating Cyber Risk Posture

Healthcare organizations are seeking to focus on patient care and service delivery quality and Information Technology (IT) and cyber security are a critical part of that equation. Our client is a healthcare organization that prioritized cyber security as part of their operations. They had implemented what they believed was sufficient cyber risk controls and a strategy that included prevention, detection and response capabilities.

They experienced a close call when a cyber intrusion into their systems disrupted their operations and caused all available personnel to activate containment procedures. Fortunately, the intrusion didn’t compromise patient health records. After the incident, the organization decided to re-evaluate their cyber security to answer some key questions: Why didn’t we detect the intrusion proactively? How do we know if we have the right solutions and strategy in place? Where are our significant risk areas? What should our future cyber security strategy look like given our growth trajectory? How will our cloud migration and adoption change our risk profile?

The organization decided to seek answers to these questions and potentially re-evaluate their cyber security strategy and we were engaged to help.

Role of the CEO

The CEO played a pivotal role during this engagement, especially at the beginning, by:

  • Prioritizing proactive engagement

  • Establishing/securing board support

  • Modeling cyber-priority behaviors and culture for the rest of the organization

  • Learning about cyber risks

CEO Cyber Risk Guide

How We Helped

Our engagement with this client was meaningful in three board categories or dimensions:

Uncovering Unknown Cyber Risks

Defining and Developing a Cyber Risk Mitigation Strategy

Executing the Cyber Risk Strategy

Uncovering Unknown Cyber Risks - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.

Defining and Developing a Cyber Risk Strategy - In addition to the security operations’ cyber risks of proactive security monitoring, our priority findings also included other gaps in the following areas of asset management, cloud adoption/migration, cyber governance, threat/vulnerability management, data protection, cyber and user awareness training. We developed a strategy with specific recommendations to help close these gaps in order of priority and in accordance with the organizations risk profile and business objectives. In essence, we helped them define what good cyber risk management looks like and how to get there and stay there.

Executing the cyber risk strategy - Upon completion of the risk strategy engagement, our client requested a follow up engagement to execute the priority recommendations we had proposed. The CEO and COO wanted our assistance in executing critical elements of the strategy. These included significant items such as the sourcing, comparative evaluation and selection of a best-fit service provider for them. We also delivered additional cyber risk services such cyber learning clinics, penetration testing, architecture reviews and contract reviews

We’re very glad that you’re here. We’re getting way more value than we expected
— CEO: Healthcare Organization

Lessons Learned

Trust but verify what your MSP tells you on a periodic basis

Understand the options available to you

Establish/determine what level of cyber insurance is required

Make it

Outcomes - Business Value Added

Our engagement with this client was meaningful in three board categories or dimensions:

Cost Savings - 10% monthly, positioned for future cloud-related savings

Service Quality - now measured with focus on NPS

Risk Reduction

Cost Savings - Before the client engaged us, they didn’t have clarity about their cyber risks and solutions. They really didn’t know what they didn’t know. They had outsourced their cyber security to an external service provider and had been told repeatedly that they had effective cyber security technology and controls. They also had seen some proof of this statement such as the deployment of EDR, firewalls and patch management reports. We completed a comprehensive assessment and analysis of the functional areas and their operations including interviews with their third-party service provider. To our surprise and the surprise of our client, we discovered that a critical cyber function (proactive security monitoring) was missing. In other words, if a threat actor compromised their systems and exfiltrated PHI or other sensitive data, the intrusion would go undetected until some external party (e.g. affected customers, FBI, etc.) notified our client. That was a significant problem, especially since their understanding was that they did have this capability already.

Risk Reduction - It’s difficult to accurately estimate the amount of risk reduced as a result of the strategy execution. However, we can provide conservative benchmarks based on industry standards and reports. For example, according to the Mandiant report, the median dwell time (i.e. the time attackers go undetected) for non-ransomware intrusions in the Americas is 12 days. Our client was able to reduce this time to less than 4 hours in during our pilot testing. For ransomware intrusions it’s 5 days.

More than 10 critical strategic and operational gaps in our client’s cyber security posture were remediated, thus reducing the risk associated with these structural elements. These all included significant vulnerabilities that could all lead to material intrusions or data breaches.

Human error drives most cyber incidents as cited by the Harvard Business Review article.

https://hbr.org/2023/05/human-error-drives-most-cyber-incidents-could-ai-help

Approx 88% of data breaches are caused by employee mistakes - we executed cyber learning clinics focused on employees to help reduce the risk associated with the human element of cyber.

A proof point for the effectiveness of our learning clinic is qualitative feedback from employees describing how they stopped potential cyber incidents within the organization but also helping family members avoid falling victim to cyber attacks.

Qualititative feedback and extending to their home life and families with user awareness

vulnerabilities that would have gone undetected were identified and remediated.

Human element contribution to cyber risks; 80% and credentials;

Corrective actions that would have gone unmitigated

but we believe a conservative estimate is 50% given that proactive security monitoring, detection and response.

70% of intrusions are detected in one week or less

According to the Mandiant report, 55% of incidents are detected by external sources as opposed to internal an indication of whether incident detection is reactive or proactive.

SIEM numbers; other contributions to user awareness, number of vulns, critical systems with default configurations and passwords. Process for on-going risk management. Qualititative feedback and extending to their home life and families with user awareness

Service Quality - Going from no NPS measurements to actually being intentional about quality. The strategy focused on balancing security and risk management with user experience

Contact Us