A tech CISO’s 11 tips for managing a successful cybersecurity program

The HIMSS Healthcare IT News podcast cover. Text: mobi health news | Healthcare | Finance

 

This article is based on a recent podcast episode of Healthcare IT News, a HIMSS Media podcast. In “Creating a strong, cybersecure organization,” HIMSS Senior Director of Client Content Development Patty Enrado spoke with Hyland Chief Information Security Officer Dan Dennis about navigating the dynamic cybersecurity landscape in healthcare.


In this piece:

Cyber security is a growing concern for the healthcare space. Volumes of critical personal data grow on a daily basis, and all of this content is increasingly integrated in the digital-first world.

However, though the amount of personal identifiable data expands, IT budgets have not.

According to the 2020 HIMSS Healthcare Cybersecurity Survey, only 6% of healthcare budgets are typically allocated for information security. As a result, many healthcare organizations — and their patients — are vulnerable to exploitation from cybercriminals.

Worse still, the strategies of bad actors keep pace with the speed of defense innovation. Ransomware, supply chain attacks and other tactics are increasingly sophisticated and impactful.

The question to ask isn’t just, “How do we prevent an attack?” but rather, “How do we weather one?”

The answer: A robust, end-to-end cybersecurity program is essential for mitigating the risk of attack and preparing for future ones.

Only 6% of healthcare budgets are typically allocated for information security.

$2020 HIMSS Healthcare Cybersecurity Survey$

> Learn more | Ransomware 101

11 tips for leading a successful cybersecurity program

Over his 25 years of cybersecurity experience, Dan Dennis has learned a few things about managing successful security programs. He recently appeared on Healthcare IT News to discuss mitigating risk in the increasing world of cyber attacks, preparing for the unknowns and creating a culture of cybersecurity.

Here are 11 highlights from Dan’s discussion that can help any organization increase its security integrity.

1. Learn from the past for success in the future.

Dan was a business major in college but always felt drawn toward technology. In the midst of Y2K, he became focused on the field of cybersecurity.

One relationship he had that was pivotal for staying in the field of information security was working for Roland Cloutier, a prominent CSO who today works for TikTok.

“He really helped instill the approach and foundation of security at a very young age that I really carried through my entire career,” Dan says.

Dan went on to work for a number of SaaS and cloud providers, taking what he learned under Roland and applying it to each new company. 

2. Get leadership support beyond invoice approval.

“Leadership support doesn’t mean having a leadership team that will approve endless spend,” Dan says. Instead, it’s about working as a service-oriented collective that is engaged at every stage of the project.

Leaders should take the time to listen to the risks of data breaches, ask questions about data security strategy and actively participate in discussions.

A CISO collaborates with her team remotely.

3. Lead with empathy.

The Great Resignation has shown us work-life balance is an important factor for keeping high-value talent. With so many jobs open around the world, it’s important to foster a culture of wellness that makes people happy, fulfilled and eager to give their best work.

Dan urges managers to take the time to be empathetic, show appreciation for staff work and do everything you can to support individual and collective success.

> Learn more | How to hire for digital optimization

4: Focus on employee engagement.

Your team is only as strong as its least-engaged employee.“When [employees] take pride in their work, results usually speak for themselves,” says Dan.

This is especially critical in healthcare, where every decision impacts patient care. According to Medical GPS, high employee engagement spurs decreased absenteeism, staff turnover and even mortality rates. That’s about as important as it gets.

5. Build a team of “security champions.”

Putting a focus on engagement also correlates to greater partnership and collaboration with other areas of the business.

Dan states that security engagement can often be contagious. What starts as a team of individuals becomes a cohort of what he calls “security champions” across the organization — “people that bring forward information through the form of partnership.”

6. Implement strong security awareness.

When it comes to keeping ahead of significant risks like ransomware and supply chain threats, the best method is being as proactive as possible. Dan recommends starting with educating your people, at all levels of the organization, about different kinds of security and compliance issues.

“If your technical controls are failing, you want to make sure that people know how to identify potential attacks, how to report attacks and what to do in the event of these types of attacks,” he says.

Phishing emails and other social engineering scams are prevalent in and out of the office and can affect all tiers of healthcare. Training initiatives like the CISA Cybersecurity Awareness Program can help keep security top of mind.

An IT security professional near a server room work on her laptop. She is part of a team of security champions, an important part of a successful security program.

7. Utilize different levels of technical controls across the organization.

There is a range of cybersecurity measures to combat cyberattacks. A few Dan mentions are email filters, message authentication, antivirus software and malware protection, which can help block entry points.

Multifactor authentication is a must and should be implemented as often as possible. Additionally, “limiting administrative rights except where absolutely required helps reduce the risk of these infections taking place,” says Dan. And finally, robust network segmentation can help reduce the impact of an attack.

You can customize these tools into a cybersecurity program that is best suited for your organization and its security objectives.

8. Stay vigilant about monitoring your business processes.

It’s important to conduct regular vulnerability scanning to close any gaps in protection before they become an issue, Dan says.

Intrusion detection systems and security event monitoring should be coupled with incident response planning and testing. Dan also recommends having offline encrypted backups. Regularly testing these backups is important for ensured business continuity.

“That way, in the event of a particular ransomware attack, you’re able to react quickly and accordingly, and all the parties that need to be involved aren’t thinking this through for the first time,” he says.

> Read more | 4 benchmarks for responding to a business continuity crisis

9. Augment internal operations with third-party reviews.

Dan notes that control reviews and indicators-of-compromise assessments give you an independent view of your infrastructure for potential risks that you may not see with your internal reviews.

This is especially useful for smaller organizations because they can complement their team with third-party resources and expertise to gain a fuller view of their security protocols without hiring more people.

10. Be transparent — in good times and bad.

A comprehensive view of the entire cybersecurity scope, both the pros and the cons, is essential.

We want to know about mistakes because it’s only when we know about these mistakes or actions that we’re able to help mitigate any risk that they may have introduced.

$Dan Dennis$

In addition, he recommends maintaining an open dialog between the security team and the organization’s C-suite, partners and vendors. When all stakeholders have the same level of insight, working toward a shared goal is more efficient and productive.

“Working together is what’s going to ensure success,” Dan adds. “Giving people a heads up about certain risks that you might see and how it might potentially impact them is going to strengthen us as a whole.”

11. Stay sharp by tapping into the broader community.

Collaborating with other cybersecurity experts and participating in topical events gives Dan actionable information about the state of the discipline and best practices for the latest threats.

“One of the things that I find to be helpful is, I sit on a number of CSO roundtables. Having that network and having the ability to talk to other CSOs about what you encounter really helps give different perspectives,” he says.

How should we measure cybersecurity program success?

Cyber security is not a “check the box and move on” function, Dan says. Instead, it’s a business enabler and a living process.

He gauges the effectiveness of his cybersecurity programs by these functions:

  • Are we protecting the assets that have been entrusted to us?
  • Are we compliant with meeting our customer and regulatory obligations?
  • Are my employees engaged?
  • Is security viewed as a partner in achieving business objectives?
  • Is security a two-way dialog?
  • Are all levels of the organization cyber-smart and actively learning what they can do to protect themselves and the practice?

Today, IT professionals are aware that breaches are not a matter of “if” but “when.” Having a one-team mindset around preparing for these issues is the foundation for long-term cybersecurity success.

“There’s definitely no solution that’ll offer 100% protection against ransomware, but a robust program to identify and remediate that will help ensure timely response and limit risk in those areas,” Dan concludes.

Why do leading healthcare organizations choose Hyland?

Dive into why 3,700+ active healthcare customers around the world trust the security, expertise and capabilities of Hyland for their operations.
Get to know Hyland Healthcare >>

Colleen Sirhal

Colleen Sirhal

Colleen Sirhal serves as the chief clinical officer and director for Global Healthcare Consulting at Hyland. Her primary responsibilities include: evolving our global healthcare business, understanding healthcare trends and business... read more about: Colleen Sirhal