Despite the availability of established security frameworks such as the NIST Cybersecurity Framework and others, healthcare organizations still struggle to implement them effectively, often not fully understanding the requirements or failing to integrate them into their overall cybersecurity strategy, said Keith Forrester of security firm Optiv.
“It’s all about risk management. You’ve got to be able to assess your environment and determine the risks that are out there, determine the risks that are out there, and then develop goals and best practices based on your business,” he said.
Yet many healthcare sector organizations still lag in doing that thoroughly and enterprisewide, he said, despite years of recommendations by regulators and cybersecurity experts to make risk management a top priority.
“Organizations often have all the tools and all the processes there, but they are lacking at times in fully implementing the tools correctly and properly,” he said.
For example, “oftentimes we are seeing that breaches are occurring, and organizations are doing analysis of the breach and discovering that it came in through by weak credentials,” he said. “They’ll say, ‘we had two-factor authentication,’ but often it’s not implemented correctly or not across the organization, only in certain areas,” he said.
“We’re not seeing that they are really adopting or addressing best practices and frameworks that that should be put in place.”
In this audio interview with Information Security Media Group (see audio link below photo), Forrester also discusses:
- Tips for improving security risk management in healthcare settings;
- The significance of the Department of Health and Human Services’ recently issued voluntary “essential” and “enhanced” cybersecurity performance goals for the healthcare sector (see: HHS Details New Cyber Performance Goals for Health Sector);
- Common weaknesses in vulnerability patch management that can get entities into trouble.
Forrester is a practice manager at Optiv working with global Fortune 500 clients. He has more than 30 years of experience managing information security governance, risk and compliance programs and projects. He also previously served as information security officer for a multi-national healthcare outsourcing service provider supporting eight healthcare hospital systems with a user population in excess of 28,000 desktops.