More on Strategic Planning

How to build an effective cybersecurity strategy on a tight budget

Basic building blocks of a good information security plan can be found at lower costs than many might expect.

Beth Jones Sanborn, Managing Editor

Cybersecurity is a must. As daunting as it appears with hackers positioning to storm the gates of your network, and with healthcare being among the most attacked industries, it is essential that large hospitals and small physician practices alike place the appropriate guards at those gates to keep cybercriminals out -- and crucial patient and system information inside.

Consider: 12 percent of hospitals lack even basic IT security systems, according to a new state of the health IT industry report from HIMSS Analytics. And that's despite the finding that 29 percent of all breaches hit healthcare entities last year.

But there is good news. Some of the basic components to any cybersecurity strategy can be obtained without great expense, according to infosec experts we interviewed. Here's what they said about asset inventory, vulnerability assessment, patch management, network monitoring and user education. 

Basic infosec building blocks go a long way

Cybersecurity expert and CEO of HSTpathways Tom Hui said the first action items for organizations looking to make their security stronger is to gather the facts: establish a baseline of what you are doing and what you are not. Then establish a list of issues and priorities.

"That's how you really start to get your arms around it. I think it would be a mistake to just run out and hire a consultant or vendor and do a security audit. You are starting from a place of not even knowing the right questions to ask," Hui said. "That is the least effective way to use money."

Kevin Johnson, CEO of cybersecurity and consulting firm SecureIdeas added that when it comes to tools, asset discovery is first and foremost. You need to know what is on the network because all infrastructure pieces, from the high end to a $30 router from Walmart, have the ability to tell you what devices are connected to the network. The trouble is, most small organizations don't look. You need to look.

Second, you need some type of vulnerability assessment. Luckily, free software is available for this, though you do need someone who is tech-savvy enough to run it.

Stephen Collins, senior information security consultant at CynergisTek agreed that asset management for PCs, servers, and data, vulnerability management, anti-virus software and log correlation are some of the bare bones tools that can help healthcare providers improve security on a tight budget. There are commercially available tools to with varying prices as well free open source options.

"The old adage, 'You cannot protect what you cannot identify' speaks to the importance of asset management. Without asset management, an organization cannot adequately map data flows, know where critical data is, hope to back up critical systems, and thus recover from a disaster. Asset protection using tools to know what and where to patch and protecting assets with anti-virus is fundamental. Lastly, logs should be monitored for suspicious activity," he said.

Patch management and network monitoring

Johnson stressed that applying patches and making sure systems are up-to-date is critical, and advised that this could be as simple as turning on patch management auto updates -- particularly when pricier patch management solutions are cost-prohibitive for smaller organizations.

Collins said some vulnerability management systems pull double duty and also provide insight into assets, but noted that you will have to combine the output from many different tools to build a complete inventory of assets, such as laptops, workstations, servers, mobile devices, etc. and the necessary information stored on them. So, each tool will help give a complete picture of the environment as you protect your assets.

"The takeaway is to leverage each tool in full to help the other objectives as much as possible," he said.

Hui called patch management a very mixed bag. There's a lot of involvement in terms of configuration and some of the challenges include that from time to time a patch can be in conflict with the software version you are running and in such cases updating causes unintended consequences.

Also, there can be configurations that get reset and then automated patch updates stop occurring. This is something providers need to stay on top of to prevent hiccups in operations.

Network monitoring is a given and should include intrusion detection and failed logins, which can be determined by applying intelligence and benchmarks to discern unusual behavior.

Cyber cost benefit analysis

When Hui speaks with CEOs and administrators that feel the budget crunch, he tries to make sure they understand that these are choices they are making and that cybersecurity like anything else is a cost benefit analysis. For most healthcare providers when they are thinking about whether they want to buy another microscope or other equipment, it's pretty easy to think about that in terms of cost-benefit. There's a price to acquire it and then they can calculate utilization and project what kind of revenues they'll get from it and make a decision.

Cybersecurity is more complex and subtle though, because when you invest in cybersecurity you don't actually create measurable revenue. The absence of negative events is the benefit but that's that a really difficult concept for people to swallow.

"I try to get CEOs to think 'if you go through a year and you have no successful hacks, then you look at the amount of money you spent and that's your benefit. It's a passive benefit."

Collins also weighed in, calling training and awareness paramount. He stressed that breaches are often avoidable, especially when you consider the number one attack vector is employees via phishing.

Don't forget partners and vendors

You should also conduct an inventory of your vendors, include them in your cybersecurity conversation and plans, and if you have doubts about their commitment or expertise, then you need to more thoroughly vet them or talk to them.

"They are in your hospital accessing your network. It ties right back to knowing who and what is on your network. It's just a matter of having that conversation. "

Hui cited external communication as an area ripe for potential vulnerability. Most people don't realize that faxes are not encrypted and can be prone to human error. As an example, he recalled an incident years ago where a medical facility faxed medical records to a wrong number.

Luckily, in that case, the recipient was also a medical provider and called to notify the sender of the mistake, which could have spelled a HIPAA disaster.

Education: the cornerstone to a necessary security culture

Although it's been said before, education is so critical to cybersecurity that no plan is complete without it.

"If you are not educating your staff I don't care how well you do anything else," Johnson said. "Everyone needs to care about security and how to accomplish it in their own part of the workplace. All staff have a role to play, and ignoring that almost ensures a breach."

Hui strongly echoed that sentiment and so did Collins. Hui said in almost all organizations, staff education is lacking and leaders need to step up their game when it comes to integrating it into the culture.

Human error is still the greatest liability, and the hacking that is purely a technical hack is the exception not the rule. Usually it's exploiting weaknesses or inconsistency in user behavior.
Phishing is one of the most common methods, and criminals just need one successful event to get into a system and wreak havoc.

That's exactly where education comes in, and it should not just be a one-time session. Recurring education must be a regular part of the workplace.

Johnson said sometimes with cybersecurity education, it's best to start the conversation on a more personal level. Talk to staff about why security is important to them personally. If you teach people how to protect themselves at home, they will pay more attention and that behavioral change will translate to their organization. Having a serious dialogue also clues other staff into the reality that that issue is something the leadership really care about, and so should they.

Security as SOP

In the end, although there is no silver bullet or single tool that addresses everything, basic blocking and tackling of asset inventory, vulnerability assessment, patch management, network monitoring and user education can accomplish a lot.

"The key is to commit to information security early on, use tools that provide solid information and protection and develop a culture of being secure," Collins said. "As your organization grows, your toolset may change, but if you make security a standard operating procedure, really incorporate security into your IT operations, the payback will be enormous."

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @BethJSanborn
Email the writer: