By Jothi Dugar, CISO, National Institutes of Health, Center for Information Technology (CIT)
Often, in a healthcare setting, band-aid fixes are used for patients giving them a false sense of security in their overall health. For example, when a patient comes with a headache, a prescription for a medication is prescribed without first conducting a deep-down analysis of why the patient is getting recurring headaches. The effects of the “solution” are often worse than the original symptoms, which then prompts additional antidotes. At some point, reducing the superficial symptoms without fixing the root cause just makes the issue even worse.
This type of scenario is prevalent in the Cybersecurity field as well. An organization feels certain initial symptoms such as unresolved vulnerabilities on systems, poor cyber practices of people within their organization, and often look for quick and easy solutions such as tools and technologies to mitigate their issues, without stepping back to conduct a deep-down analysis on what these symptoms truly reveal.
Thankfully, there is a common strategy that any industry can use to get to the crux of the issue. We need to use a holistic and integrative approach to do a root cause analysis on what are the factors that are leading to the symptoms, then determine the best approach using a holistic view of what is needed and an integration of a variety of aspects to form a well-designed solution.
Cybersecurity reviews and analysis must be built into the system lifecycle starting from the acquisition stage, through implementation and operation, and at the disposition stage.
Let us break this into smaller parts, specifically for a healthcare organization that is concerned about Cyber Safety. Using the mind-body-energy connection that is well known in the healthcare field, let’s consider the mindset of an organization, it’s leaders, and it’s staff for the “mind” aspect. How are Cyber Safety and security regarded in the organization? Is it thought of as a barrier to the mission or an enabler of the mission? Do all the roles, stakeholders, users, and leaders look only to the CISO or their teams to solve their Cyber gaps, or do they feel that everyone has a role in Cyber?
Let’s consider tools and technologies as the “body” aspect. Are each of the tools an organization deploys truly analyzed for all of the capabilities the tool offers? How much of the tool functionalities are actually being used? How many tools does the organization have that all seem to do similar things and how effective are those? Are the results of the tools measure across a standard baseline for effectiveness or efficiency?
Now, for the largest and most important aspect of this connection, let’s take a look at the “energy” or culture of the organization. The energy of the organization is the culture that always starts with its leadership. Is diversity and inclusion factored into the organization to include their Cyber teams? How is the social and emotional maturity of the organization and its people? Are staff provided with training or opportunities to learn emotional intelligence or interpersonal communication skills? Is there freedom to innovate and bring in creativity in the workplace? Last but not least, are staff empowered to do the right thing even when no one is watching?
All of these aspects make up a robust and comprehensive Cyber Safety program in any organization: empowering people with the right skills, knowledge, support, and opportunities and embed Cyber into everyone’s roles; looking at technical solutions using a holistic view to truly provide effective and impactful solutions (instead of band-aid solutions); and take a community approach to Cyber within an organization and between organizations so that everyone understands their role in protecting and safeguarding the mission.
There are many ways to ensure that Cyber is factored into every aspect of an organization. We must include security in every step of a system’s lifecycle. Systems include anything that is purchased that is considered “IT,” such as computerized systems, medical instruments/devices, applications, networks, servers, and workstations. Cybersecurity reviews and analysis must be built into the procedures starting from the acquisition stage, through implementation and operation, and at the disposition stage. This method will ensure that security concerns and risks are captured and mitigated from the beginning through the end and avoid sudden surprises and reactive measures.
Another aspect of ensuring Cyber is embedded into everyone’s roles is to ensure that each role within an organization is properly trained on how to do their jobs in a secure manner and provided opportunities to learn on the job, and also have opportunities for commercial training.
A key factor, especially in healthcare organizations or even research, scientific, or clinical organizations in terms of Cyber Safety, is to understand both the impact of a safe cyber environment and the risks of not incorporating effective cyber safe practices. There needs to be a change in the conversation from thinking of cyber as patient safety risk to one that there is a direct connection from Cyber Safety and Patient Safety, and one cannot exist without the other.
Lastly, as technology progresses, getting more complicated by the day, we must take a moment to pause at the moment and step back to look at things from a holistic viewpoint. People are too often running towards the next newest “thing” or the next “shiny” tool or technology that everyone else is using, assuming that it will be a magic bullet or cure to all the concerns. It will be in our best interest as healthcare organizations, to take a step back and look at the big picture, and dig deep to find the root causes of our concerns to effect positive changes in Cyber throughout our organizations.
Disclaimer: The thoughts, expressions, and opinions expressed in this article are solely those of Jothi’s personal views, and do not represent those of the NIH, HHS, or any other Federal organization.