Topics
More on Strategic Planning

CFOs guide to building a cybersecurity dashboard

Password strength, multiple tabs and SOC audits are some of the means by which healthcare providers can protect sensitive patient data.

Jeff Lagasse, Associate Editor

Cybersecurity dashboards are an integral component of any successful health system, helping to stop breaches before they happen and squash threats that manage to slip past their safeguards. It's about protecting patient information, as well as the systems' own brands and reputations.

The components of a successful dashboard are largely dependent on the needs of an organization, but there are a few characteristics common to the most effective approaches. Multiple dashboards are usually required. Customizability and adaptability are essential. And the health of endpoint passwords within the system are crucially important.

Crucially important.

CYBERSECURITY DASHBOARD MUST-HAVES

Darren Guccione, CEO and cofounder of Keeper Security, said that from an operating perspective, the key things to focus on are protection, prevention and remediation. If a healthcare organization can shore up its prevention efforts, it's 90 percent there.

To that end, it behooves a provider to perform a security audit covering password strength, and the reuse of passwords across the organization. It's a simple step, but most company haven't done it.

Largely that's because they don't have the software on hand to do it. A lot of times, though, they simply don't realize that many breaches are due to weak password security.

Security strength and password use throughout an organization would cover every single endpoint within the company -- every computer, MRI machine, mobile device and electronic health record. Every device across the full population of employees has to be measured.

"In a hospital, you have two things you have to make sure are completely controlled: passwords and patient data, any kind of personally identifiable information," said Guccione. "Those are the things they have to protect."

It seems simple, but ensuring good password practices is the first line of defense against potential hackers. The passwords should be encrypted, contain letters and symbols, be a minimum 8 characters in length, and be available on every system at the hospital.

And that can be difficult. Not everyone practices what Guccione calls "good password hygiene."

"If you analyze the populace, according to our studies, more than 60 percent of everybody who uses passwords reuses those passwords across multiple websites," said Guccione. That means if one account gets compromised, they all get compromised.

Last year, Keeper Security ran an analysis of the top passwords that were breached -- a list of about 10 million passwords. The top 25 most commonly used passwords represented 50 percent of those 10 million. "12345" was a popular one. So was "password," "admin," and "google."

"Hackers know this," said Guccione. "Hackers always dictionary the top passes, so they're always going to use those first because they're very common. That's what happened in the Equifax breach. The username was 'admin' and the password was 'admin.' Since most organizations such as hospitals use relational databases, a hacker can proliferate multiple databases. That's what happened at Target."

One of the main reasons for low password health in an organization is a simple lack of education, he said. People won't shore up their password strength if they don't realize how important it is.

A hospital or health system with a strong set of cybersecurity dashboards can diagnose and fix the problem with relative ease. Emphasis on dashboards, plural. Because to have adequate protection and remediation in place, you're probably going to need more than one.

According to James Dawson, vice president of IT at GlobalMed, one dashboard might give a health organization 60 percent of what it needs. But the remaining 40 percent can't be ignored. Some secondary dashboards may fill that 40 percent gap incrementally -- 10 percent here, 15 percent there -- but there likely won't be one piece of software that accomplishes everything.

ACCOUNTABILITY

A good set of dashboards engenders transparency throughout an organization.

"If I do get some kind of breach, the dashboard allows me to say, 'Yes, there was an incident, but here's the state of my operation. Things were compliant, things were correct,'" said Dawson. "Dashboards give me a sense of security through transparency."

Ultimately, the organization will hold the IT  staff accountable, he said.

"When I get into work at 8 a.m. Arizona time, England is eight hours ahead of me. What are they saying about the updates that just got released? Did they cause any disruptions in their own environments?

"I know what normal looks like, and that's so critical," he said. "You have to know what normal looks like."

Marty Puranik, CEO and founder of Atlantic.net, emphasized the need for dashboards to be customizable and adaptable.

"You need to have some level of customizability," said Puranik. "You really want the dashboard to show you what's important to the person who's running that project. Is it checking all the boxes? A good example might be if somebody on the development team replaced a server that was down. The dashboard management might see would say, 'We've added this news server -- has it been hardened, and does it meet the requirements we have on all of our other servers?'"

KEY PERFORMANCE INDICATORS

For Puranik, it's necessary to monitor the database deeply, not just in a surface-level fashion. IT professionals need a heads-up before a problem occurs.

"I like it when you can look beyond what the basics are, the lower-level indicators or buffers, because if you can detect a heart attack before it happens, rather than sending the ambulance after it's happened, you're in a much better position," he said.

Puranik said he doesn't see a lot of people doing that today. They have failover systems so there's some level of redundancy, so looking beyond the basics may not be as important to them. That may be OK today, said Puranik, but as applications get more advanced and sophisticated, digging deeper will be a bigger deal, particularly as the internet of things advances.

"The nature of this industry is changing all the time, so having somebody who's keeping you a step ahead and saying, 'This is what's changed, this is how it affects you,' it has a lot of value, especially when the customer has so much else to deal with."

Having those multiple dashboards can be especially helpful in this regard, and Dawson said that while the prospect of juggling more than one of them can seem intimidating from the outside, it's a rather simple matter for an IT professional. 

In fact, he prefers it. Dawson uses four different dashboards day-to-day, and has others he checks less frequently -- weekly instead of daily. An example of the latter is a threat exchange to which he subscribes, in which he receives email alerts concerning emerging threats.

"It greatly simplifies things," said Dawson. "It can be a collection of bookmarked tabs, and there's all the dashboard information right there across the tabs, so it's not too difficult to consume. It doesn't complicate anything necessarily, and in fact it may be an avenue of success for some organizations."

Guccione favors a setup that allows for password visibility, but also stresses the importance of visibility over the endpoints; endpoint KPIs are a must. A CCO should have a dashboard that instantly tells her if there's been a breach at one of those terminals. Endpoint protection software is required for this goal.

And for those times when a hacker manages to slip one past the goalie, remediation software is an invaluable tool in any arsenal.

"In more than half of all breaches, most hospitals don't even realize that hackers are inside their networks for months," said Guccione. "Sometimes it's not detected for a long time, so if you're a hospital system or CIO and there are some bad people in your network stealing information from under your nose, then you need remediation software."

The good news is that remediation software is relatively simple and inexpensive to implement. It's analogous to malware remediation software that someone can install on their computer, said Guccione.

When all of the endpoints are successfully connected to the system, the IT department can then tabulate a security score. From there, the hospital has instant visibility into who has strong passwords, who needs to make changes, what they logged into and where.

"You can get very granular with these types of systems," said Guccione. "You use a couple of different dashboards sometimes, not just one, and that's OK. You just have multiple tabs open. It's not a big deal."

OTHER CONSIDERATIONS

The technical details matter, but no degree of technical proficiency will make much of a difference if a hospital or health system's IT arm isn't adequately funded. Quite simply, money is needed to lock down a skilled staff, solid software and vendor partnerships when necessary.

It's something Dawson has dealt with in his experience as an IT professional. The departments are oftentimes underfunded and understaffed -- sometimes reflecting the overall financial situation of a hospital or health system -- and even then, management has a tendency to gripe about their IT spend.

"My experience as an IT professional over 22 years (is that) I probably won't have access to those turnkey tools as much as I'd like to have access to them." said Dawson. "Others are probably in a similar boat. We're left to our tools and we have to be careful with our spend."

Yet the finding situation shouldn't be an excuse for lax cybersecurity, he said. Transparency is key here, as is the ability to demonstrate that the department has been as "best-practice" as it can be.

Puranik also bemoaned the lack of IT funding at many major hospitals and health systems.

"When you look at IT staff, their budgets haven't really gone up a whole lot," he said. "But the threats they have to manage keep going up. A few years ago, ransomware didn't exist, but now it's a big concern for everybody. You don't want that getting onto an MRI machine, or something that can keep people from dying. You really have to stretch your dollars."

For those willing to make the investment in cybersecurity, there's a significant return -- sometimes involving the very survival of the organization.

According to Guccione, about 60 percent of all organizations with fewer than 500 employees go out of business in about six months following a cyber breach; they simply can't recover from it. For organizations with a few thousand employees, the average loss due to a breach is about $7 million, and that doesn't include the loss of brand reputation, not to mention ancillary costs such as any lawsuits that may emerge.

It isn't just management that has a responsibility to fund cybersecurity efforts, though. IT departments, said Dawson, have a responsibility to speak to executives and customer service departments in a way that's not intimidating to them.

"IT is a black box to a lot of people," said Dawson, "and this sheds light on it. That's a good feeling as a professional. It does nothing but instill confidence in the department and facilitates a lot of goodwill between departments, and it helps IT get in at the table."

HOW TO TELL IF THE DASHBOARDS ARE WORKING

The best way to gauge if cybersecurity dashboards are working, said Guccione, is to simply run tests. Lots of them, and often.

One effective test to run determines an organization's susceptibility to phishing, whereby hackers send emails designed to get people to click on malicious links. A lot of people fall for it, said Guccione, so the importance of testing for it can't be understated. Education can function as a preventative measure, since the URL of the link is typically a dead giveaway as to whether the site belongs to a hacker.

"If you're an organization that has a fiduciary responsibility to protect patient information, the stakes are elevated," said Guccione.

Another effective measure is to perform a SOC audit. Standing for System and Organization Controls, SOC audits cover the protocols of an organization and how it protects information and patient data. 

The audit can examine whether dictations collected from medical practitioners are written down or digitized, whether they're encrypted, and how they're shared with other practitioners throughout the organization. 

There are so many prongs, and so may areas an organization is forced to think about when they undergo a SOC audit that it can change the structure of how one treats and transacts data within the company. They're not cheap by any means, but they're certainly less expensive than a breach can be, and they make the company more self-aware about safeguarding its digital assets.

"People have a tendency of looking at cybersecurity software like they're looking at a life insurance policy," said Guccione. "Some people don't worry about it because they think they won't be breached, but when the tornado hits, it's too late. Equifax is an example -- they had the payload of all payloads when it came to (personally identifiable information), and you would have thought they had amazing cybersecurity. And look what happened.

"This is all about psychology," he said. "The person that says, 'This is super important, we're going to be proactive, and we're going to do it because we can't afford to have a data breach' -- they're going to be OK."

Puranik offered a simple way to tell if the cybersecurity software is doing what it should.

"Typically it updates pretty frequently," he said. "That would be really the only thing -- if it's updating, it should be working."

CHECKLIST

To summarize some of the above advice, here's a quick checklist of some things to keep in mind:

  • Password security is a must. Make sure all of the endpoints in the system are protected by strong passwords that avoid the usual cliches -- "password," "username," "12345," etc.
  • Speaking of endpoints, make sure your dashboards give you visibility over all of them. If there's a breach at one of those terminals, you and your team should know instantly.
  • Invest in remediation software. An ounce of prevention is worth a pound of cure, but safeguards aren't perfect, so have a cure ready.
  • It will likely take multiple dashboards to get the coverage you need. Don't worry about it -- it's usually just a matter of having a few different tabs open.
  • Run tests often. Make sure your employees aren't susceptible to phishing emails, and consider annual SOC audits.
  • Dashboards should be customizable. They should display what's important to the person running the project.
  • Have failover systems. Redundancy will only get more important as IoT advances.
  • Dashboards should allow for transparency between management and the IT team.

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @JELagasse
Email the writer: jeff.lagasse@himssmedia.com

Show All Comments