A Q&A session with Trailhead CEO Steven Lauber discussing the recently published Cybersecurity Performance Goals by the Department of Health and Human Services (HHS)
You can find read about the goals here: https://hphcyber.hhs.gov/performance-goals.html
Question:
How might healthcare organizations benefit from the cybersecurity performance goals recently introduced by the HHS, which aim to enhance their focus on fundamental security practices and ultimately improve security outcomes?
Steven Lauber: I applaud HHS for taking these steps to emphasize the critical need for healthcare organizations to protect themselves and the sensitive information they manage. Ideally, we would all be implementing best practice cybersecurity measures for our own good and the protection of the entities we serve. However, we are a long way from that idea being commonplace in the real world. Actions like this from HHS will help us toward that. Setting goals and measuring progress helps improve the chances for success with any initiative. This holds true for cybersecurity practices. Controls are layered on top of each other, and every next step an organization takes to protect themselves will further help their overall cybersecurity posture.
We’re seeing this reality play out in other business sectors as well. Proper hygiene is encouraged and sometimes assumed in specific industries. However, when adoption of best practices is voluntary and unverified, they are often left undone. The reasons for this may be a lack of understanding, or available resources. Or the urgency to take recommended actions hasn’t been adequately proven.
Creating these performance goals is a step in the right direction. It emphasizes the reality that many organizations in the healthcare industry aren’t adequately protected. It provides specific and practical guidance for those that may need a hand getting started with their cybersecurity programs.
Question:
How do the HHS Cybersecurity Performance Goals address the concerns of smaller healthcare organizations with limited resources?
Steven Lauber: In my experience helping small business owners with their cybersecurity programs, I have found that many are unsure about how to implement protections, or how to even get started. Security frameworks like NIST-CSF or CIS are great standards to follow and strive to implement to ensure a holistic, best practices approach. But they do tend to be flexible and adaptive in their implementations. This is helpful to be able to use the same principles across many different industries and situations. But a business owner with little time to focus on cybersecurity, or lacking the necessary technical resources, may not know how to meet the recommended security requirements without a clear explanation.
I appreciate that these Cybersecurity Performance Goals are more prescriptive in nature. Some may push back when presented with specific requirements in general. But I believe offering more specific guidance can help those that don’t have the ability or resources to focus on the critical protections first. We need to be careful not to treat guidelines and recommendations like this from the HHS as a replacement for a complete and specific cybersecurity program, that is tailored for a unique organization. However, if time or resources are lacking for a thorough analysis and a complete plan, these goals are a good place to start.
Question:
In light of the multitude of regulations affecting healthcare organizations, how do they ensure they are aligned and focused on their top priorities?
Steven Lauber: The first steps of implementing an effective cybersecurity program should be to assess the current state and prioritize risk. Based on that determination, an organization can name the most significant risks and the ones that are most likely to be exploited. With that knowledge, a strategic plan can be created that addresses those risks first. After those risks are mitigated, you can move on down the line to the next most impactful items.
Cybersecurity needs to be viewed as a risk management program. To effectively manage risk, we need to continually re-evaluate and re-prioritize our efforts. The landscape is constantly changing. External threats evolve and new ones emerge. Businesses change their focus and initiatives. These factors require that our risk analysis and priorities are continually adjusted. Course corrections will be required. A cybersecurity program can’t be viewed as a checklist, or a set it and forget it exercise. It requires frequent, consistent verification and reassessment. Are the controls that were implemented still working and doing what you expect? Are they still aligned with the business needs, priorities, and risks? It’s helpful to view this process as a circle. After the program gets going and is up and running, a review process finds corrections, adjustments, and improvements. As those changes are implemented, you circle back to the beginning of the process. Each time through, the program is refined and gets better. But it will never reach an endpoint. Cybersecurity is a journey not a destination.
Question:
Will these performance goals from the HHS Cybersecurity initiative lead to enhanced patient outcomes and increased safeguarding of healthcare Personally Identifiable Information (PII)?
Steven Lauber: Unfortunately, when it comes to protecting themselves, many organizations refuse to act until they are required to. This often requires regulatory or legal pressure, or other forces that compel them to action. With so much evidence of catastrophe and disaster out there, I would like to think everyone would be more concerned with doing what is best to protect their own organizations. Rather than doing the bare minimum to get by or to avoid punishment. The good news is, there are many business owners out there that put a priority on cybersecurity and realize it needs to permeate their culture. The number of organizations with this mindset is growing steadily.
While we have those that choose to just skirt by or treat these kinds of security practices as unnecessary, we will need these kinds of guidelines to become accepted standards. Without some sort of enforcement or negative consequences for inaction, it seems unlikely for widespread adoption of these performance goals.
I have met many healthcare providers (usually the smaller, resource challenged ones) that are not convinced of the need to take things like HIPAA seriously. They choose to accept the risk of penalties or other consequences, because they don’t acknowledge how critical their protections are. Not just for them, but for everyone that is affected by their lack of action.
No organization exists in an isolated bubble anymore. We are all dependent on other systems outside of our direct control, to be able to deliver our services and meet our obligations. When an organization does not meet their responsibilities to reduce risk and prepare themselves, they aren’t just failing themselves. The negative impacts are experienced far beyond their doors. There are few industries where this is clearer than healthcare.
Until we come to a more universal acceptance that basic cybersecurity hygiene is an absolute, initiatives like these performance goals are a necessity. I look forward to the day when these best practices will be sought out and adopted without a legal or regulatory enforcement mechanism.
