IT Support and Hardware for Clinics
35.9K views | +7 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

8 Questions Your Board Will Ask About Your Cybersecurity Program

8 Questions Your Board Will Ask About Your Cybersecurity Program | IT Support and Hardware for Clinics | Scoop.it

Cybersecurity coverage is a critical concern for every modern business. Whether you're a growing company or an established multinational business, your IT infrastructure needs to be secured against a growing range of threats. 

 

An effective cybersecurity program needs to be both robust and capable of change. All possible threats and risk tolerance levels must be clearly defined and managed from the outset. Active participation by all stakeholders is required to ensure the best possible outcomes. 

 

From setting the direction of the program to making operational decisions and providing oversight, the board of directors and all C-suite executives need to understand, engage with, and take ownership of the program.

 

Let's look at eight big questions you need to answer to give your board full confidence in your cybersecurity coverage.

1) What attributes define a complete cybersecurity strategy?

A comprehensive cybersecurity program needs to protect relevant corporate information and systems, both now and in the future. Cybersecurity is all about managing cyber risk.  To properly manage cyber risk, it is critical to have a basic understanding of the key components of a comprehensive and mature cybersecurity program.  By comprehensive and mature we mean broad and deep.  Broad – including all of the key components, and deep – ensuring that each key component is addressed to the degree that mitigates the cyber risk to the level that is acceptable to the Board and C-Suite.

 

Before you can protect the data that defines your organization, it's important to evaluate your current systems based on their structural integrity and ability to adapt. 

  • Maturity and consistency - Maturity is based on consistency over an extended period. This doesn't happen by accident, with effective security solutions adapted carefully to meet the specific needs of an organization. Your security architecture needs to be defined, your documentation needs to be thorough, and your working practices need to align with your security goals.
  • Flexibility and agility - Modern computer systems are changing all the time, and effective security solutions need to adapt to the wider world. Agility and flexibility are critical as security breaches often take place immediately after an update. If maturity is defined by the structural integrity of your security framework, then agility is defined as your ability to respond effectively at any given moment.

2) Have we got adequate review and training initiatives?

Effective cybersecurity solutions demand continual reviews, updates, and training initiatives. Whether it's buying new computers, updating network protocols, or training staff, security risk assessment is an ongoing process that helps to identify risk and ensure compliance at every turn.

 

Your cybersecurity program needs to be reviewed periodically by an independent and objective third party to ensure the relevance of hardware tools, systems and services, and human beings. Updates are not enough in isolation, with alignment between hardware and software, and software and staff also needed. 

 

Security risk assessments, ongoing testing, and awareness training are all required to mitigate risk and ensure safety. Employee training initiatives have a particularly vital role to play, with security breaches often the result of poorly trained staff or incomplete training methods that fail to align with technology updates. 

3) How do we ensure compliance?

Compliance is a critical element of IT security. Regulations put in place across industry sectors help to define appropriate levels of risk and protect information. Whether it's the CSF framework defined by the NIST, the HITECH Act legislation for health providers, or the HIPAA legislation to promote data privacy and security, your organization needs to ensure compliance at every level.

Active participation by all stakeholders is an essential part of the compliance process as well. To meet your obligations, you need to be aware of them first. From there, you can put appropriate measures in place to ensure your security and operational coverage. 

Compliance is about more than ticking boxes. It is an effective strategy and an essential part of your wider security stance.

Below are a few of the most important compliance standards:

  • NIST and CSF - The National Institute of Standards and Technology (NIST) promotes a Cyber Security Framework (CSF) to help organizations better manage and reduce their cybersecurity risk. This framework is used to create consistent standards and guidelines across industry sectors. It is also used to augment specific industry regulations like HIPAA.
  • HITECH and HIPAA - While HITECH and HIPAA are separate laws, they often reinforce each other and both apply to the health industry. The HITECH Act was created in 2009 to support the secure adoption of electronic health records, with HIPAA adopted in 1996 to protect the security and privacy of patient health data.     

Learn more about common compliance regulations here.

4) How do we establish an acceptable risk tolerance level?

While protecting your organization demands diligence at every turn, a no-compromise attitude is rarely effective. Zero risk is impossible as a realistic protection objective, with each organization needing to decide how much loss they can tolerate before a threshold of damage is breached. 

Defining an appropriate level of acceptance or tolerance to risk is one of the most important discussions you can have. To quantify these risks, you must identify likely threats and their potential financial impacts. Security breaches can be significant because they influence both productivity losses and the cost of cleanup.

Before you can set up a robust and effective cybersecurity program, it's important to establish an acceptable risk tolerance level. What value are you trying to protect? And what price are you willing to pay to protect it properly? The NIST Risk Management Framework (RMF) is one important framework used to measure risk tolerance. 

5) Are we aware of our existing vulnerabilities?

Professional vulnerability assessment is needed to measure risk and allocate resources effectively. To align the potential impact of each security incident with an acceptable level of risk, it's important to carry out a professional vulnerability assessment. By breaking down your current security infrastructure, you can find existing vulnerabilities and create solutions that protect your organization.

6) What is our incident response plan?

Incident response and management is an important part of every cybersecurity strategy. While proactive measures are critical, it's just as important to have a response plan in place if something does go wrong. A comprehensive cyber incident management plan involves dedicated recovery measures for specific breaches. This multi-pronged reactive process must begin immediately following an intrusion and be able to adapt to changing circumstances.

7) Have we thought of third-party risk management and insurance?

Cybersecurity is an essential part of every vendor relationship, with malware and other forms of malicious code often hidden in supply chain entry points. A vendor may include a cloud service provider, an IT consultant, a data processor, or even an accounting firm.

Vendor policy management and insurance need to be built into every relationship you have, with effective management programs helping to mitigate risk, and insurance providing protection if something does go wrong. You need to understand risk and ensure best practice at every turn and strengthen vendor indemnities by ensuring that all key risk categories are addressed.

Along with mechanisms for vulnerability assessment and incident response, it's also important to consider the contractual language and documentation used to define the vendor relationship. When it comes to insurance, you need to be protected against internal and vendor-based threats. It's important to mandate your company as an additional insured on all third-party insurance policies.

8) What is the roadmap towards comprehensive  coverage?

Robust and effective cybersecurity demands resources and funding, with an ongoing review of your current security program a great place to start. There is a roadmap involved with achieving comprehensive  coverage, from the initial security assessment through to ongoing testing procedures, incident response plans, equipment updates, and employee training. 

While asking questions is a great place to start, proactive measures, professional solutions, and insurance are needed to ensure comprehensive  coverage in the months and years ahead. 

Effective security measures demand diligence and constant engagement. From your technology and software systems to the people who use them every day, safety and compliance demand your full attention.

Cybersecurity and compliance is a team initiative that demands engagement at every level. From the board and C-suite executives who make the decisions to the people who work with the technology, security is everyone's responsibility.

 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Compromise on Info-Sharing Measure Grows

Compromise on Info-Sharing Measure Grows | IT Support and Hardware for Clinics | Scoop.it

A willingness to compromise expressed at a Feb. 25 House hearing on President Obama's cyberthreat information sharing initiative offered a sign of hope that long sought legislation to get businesses to share such data could pass Congress this year and be signed into law.

The tone of the discussion at the hearing was far different than in the past two congresses, when the White House threatened presidential vetoes of cyberthreat information sharing measures that passed the House of Representatives.


Congressional Republicans and the Democratic president and his supporters differed in the past over how an information sharing law should address liability protections and privacy safeguards. The White House maintained the liability protections in the Republican-sponsored legislation were too broad and that privacy safeguards were too weak. The GOP argued the liability provisions in their bills - which had some Democratic backers - were needed to get the private sector to participate in the voluntary information sharing program and that the privacy protections the White House sought would be too costly for some businesses to implement.

But those differences seem to have narrowed at the Feb. 25 House Homeland Security Committee, where an expression of willingness to seek compromise surfaced from both sides.

Bone of Contention

"It is, sometimes, a bone of contention between both sides of the aisle," House Homeland Security Committee Chairman Mike McCaul, R-Texas, said, referring to differing views on liability protection. But McCaul congratulated administration representatives at the hearing for presenting the president's plan and saw merit in its proposals. "I talked to the private sector; they like the liability protections that are presented here," he said, especially in regards to sharing data with the government.

Still, McCaul said some business leaders had reservations about the liability protection in Obama's plan for businesses that want to share cyberthreat information with other business.

The president's proposal would provide liability protection for businesses that share cyberthreat data with DHS's National Cybersecurity and Communications Integration Center, known as NCCIC. Under Obama's plan, those protections aren't extended to businesses that share information with each other directly but would be covered if the data is shared through newly formed information sharing and analysis organizations, or ISAOs. "What the legislation provides is that the private sector can share among themselves through these appropriate organizations and enjoy the same liability protections for providing that information to those organizations," said Undersecretary Suzanne Spaulding, who runs the National Protection and Programs Directorate, the DHS entity charged with collaborating with business on cybersecurity.

Working Out Legislative Language

McCaul responded that the liability protections to share information with NCCIC could serve as the "construct" to share data among businesses, suggesting specific legislative language could be worked out between Congress and the administration. "We can discuss that more as this legislation unfolds," he said.

Rep. Curt Clawson, a Florida Republican who led several multinational corporations before his election to Congress in 2014, said getting buy-in to share cyberthreat information with the U.S. government from companies with global operations and stakeholders could prove to be "a tough sale."

"My world is all about multiple stakeholders," Clawson said, addressing Spaulding. "We're trying to protect our customers, our suppliers, the communities that we live in, and what I've read so far of what you proposed just doesn't feel like a compelling case that I can take to my multinational board of directors. ... Any private-sector CEO would be negligent to go along on the basis of trust" without the U.S. government providing a detailed plan on what information is being sought and how it would be used.

Spaulding said the government will build that trust and agreed with Clawson that the "devil is in the details" of a final legislative plan. She said information to be shared would be minimal and technical, such as explicit cyberthreat indicators, IP address and specific types of malware. The undersecretary said the government would be transparent on the types of information it seeks and receives and develop policies and protocols to protect proprietary as well as personally identifiable information. "This isn't going to make every company open its doors," Spaulding said. "But it does address concerns that we've heard from the private sector, and there will be a fair amount of detail about precisely what we're talking about sharing here."

Though not totally persuaded, Clawson offered to work with DHS on the legislation, an offer Spaulding accepted.

Stripping PII from Shared Data

Another partisan difference is the Obama administration's insistence that companies strip personally identifiable information from data before it's shared, an act that some Republicans say puts a financial burden on businesses. Phyllis Schneck, DHS deputy undersecretary for cybersecurity, explained that under Obama's proposal, companies would need to make a "good-faith effort" to remove PII, conceding that it is a "policy puzzle" that needs to be solved by the private sector working with law enforcement and the intelligence community. "We're doing our best to get everybody to design that," Schneck said.

Regardless of how the final language of a cyberthreat sharing bill reads, such legislation is only one part of a solution to mitigate cyberspace risks. "Information sharing is no silver bullet," said Eric Fischer, senior specialist for science and technology at the Congressional Research Service. "It's an important tool for protecting systems and their contents. As long as organizations are not implementing even basic cyber hygiene, there are going to be some significant difficulties."

Fischer cited a Hewlett-Packard study that shows 45 percent of companies lack basic cyber hygiene. "There have been cases where companies had the information, but nevertheless did not pay sufficient attention to it," he said. "They had information that could have prevented an attack. If a company is not prepared to implement threat assessments that they receive, then that's going to be a problem."


more...
No comment yet.
Scoop.it!

Do the Cyber Risks of the IoT in Healthcare Outweigh the Benefits?

Do the Cyber Risks of the IoT in Healthcare Outweigh the Benefits? | IT Support and Hardware for Clinics | Scoop.it

The Internet of Things, or IoT, is a system of internet-connected objects that collect, analyze and monitor data over a wireless network. The IoT is used by organizations in dozens of industries, including healthcare. In fact, the IoT is revolutionizing the healthcare sector as devices today have the capability to gather, measure, evaluate and report patient healthcare data.  

 

Unfortunately, IoT connected devices also exponentially increase the amount of access points available to cyber criminals, potentially exposing sensitive and confidential patient information.  In order to take advantage of this valuable new technology, healthcare firms need to ensure that they are aware of the risks and address them ahead of implementation.

How are healthcare organizations using the IoT?

Businesses in the healthcare sector are taking advantage of the IoT to provide better care, streamline tracking and reporting, automate tasks, and often decrease costs. Here are a few examples of how healthcare organizations are using IoT:

  • Medicine dispensers are now integrated with systems that automatically update a patient’s healthcare provider when they skip a dose of medication.
  • Smart beds are equipped with sensors that indicate when it is occupied, alerting the nursing staff if the patient is trying to get up.
  • Caregivers are taking advantage of ingestion monitoring systems whereby swallowed pills transmit data to a device, tracking whether a patient is taking medication on schedule or not.
  • Smart inhalers can now track when asthma and Chronic Obstructive Pulmonary Disease (COPD) sufferers require their medicine. Some of these devices are even equipped with allergen detectors.

 

Connectivity of healthcare solutions through cloud computing gives providers the ability to make informed decisions and provide timely treatment. With the IoT connected technology, patient monitoring can be done in real-time, cutting down on doctor visit expenses and home care requirements.

 

However, as healthcare organizations begin to integrate IoT technology into devices more frequently, cybersecurity risks increase significantly.

Cyber risks of healthcare IoT tech

Cyber risks have become sophisticated and there has been an enormous increase in the quantity and severity of attacks against healthcare providers. In fact, since 2009 the number of healthcare industry data breaches has increased every year, progressing from only 18 in that year to 365 incidences in 2018.  Significant financial costs to a healthcare organization are a consequence of these breaches due to fines, settlements, ransoms, and of course the costs to repair the breach itself.  

 

Businesses are becoming progressively vulnerable to cybersecurity threats due to rapid advancement and increasing dependence on technology. Unsecured IoT devices pose a higher risk by providing an easily accessible gateway for attackers looking to get inside a system and deploy ransomware. Everything from fitness bands to pacemaker devices can be connected to the internet, making them vulnerable to hacking. Most of the information transmitted isn't sufficiently secured, which presents cybercriminals with an opportunity to obtain valuable data.

Managing IoT cybersecurity risks

No organization, including healthcare firms, can block all attackers. However, there are ways in which they can prepare themselves. Use these tips to help protect your healthcare organization from IoT-related cybersecurity risks:

  • Encrypt data to prevent unauthorized access

  • Leverage multi-factor authentication

  • Execute ongoing scanning and testing of web applications and devices

  • Meet HIPAA compliance requirements

  • Ensure vendors meet HIPAA compliance requirements

  • Protect endpoints like laptops and tablets

  • Healthcare staff should be educated to look for signs of phishing emails like typos and grammatical errors

IoT device-specific protection tips:

  • Acquire unique logins and device names. Avoid using the default configurations
  • Ensure the latest version of the software is installed
  • Take an inventory of all apps and devices that documents where it resides, where it originated, when it moves, and its transmission capabilities

Smart devices connected through the IoT increase access points for cyberattacks, significantly increasing risk and organizations need to be prepared in advance to prevent damage from such threats.  The healthcare industry is one of the most sensitive and frequently targeted sectors as well as one of the most costly in which to address a breach. Therefore, it is prudent for organizations to include IoT devices in a thorough cybersecurity risk assessment and ensure that they take all the necessary precautions to minimize vulnerabilities from implementing these IoT devices.

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.