If you think of information security programs existing on a 10-point continuum with the far left (1) being “What’s an information security program?” and the far right (10) being “We have a mature program guided by a cybersecurity framework with an experienced executive overseeing a team of infosec professionals”.
Where your program exists, or doesn’t exist, depends on lots of factors such as
- Size of the organization
- The budget allocated to information security
- Availability of experts
- The amount of data that has to be protected
- The sensitivity of the data being protected.
- Use of automation
- Training and education of staff assigned to information security
Most of my infosec experience is in healthcare and the organizations with the most mature information security programs (8-10 on the continuum) tend to fall into one of three categories:
- Very large 3rd party “business associates” responsible for the data of thousands of health care providers. Think of vendors such as Epic, MEDITECH or Amazon.
- Academic medical centers (although I have worked with academic medical centers with atrociously bad information security programs).
- Large regional health systems.
The least ready and most vulnerable players (1-4 on the continuum) tend to fall into the following categories:
- Niche business associates/vendors who provide specialized software or services to healthcare providers. Think of vendors such as clinical analytics providers, niche EMR systems or mid-tier revenue cycle management companies.
- All independent, ambulatory clinics including large multi-specialty or specialty clinics with more than 50 physicians down to small clinics.
- Small to mid-size hospitals with up to 300 beds
- The most vulnerable group is rural hospitals with fewer than 80 beds.
Based solely on quantity, I would guesstimate most healthcare organizations exist at about the 3-4 spot on the continuum.
If we want to rely on more quantifiable data on the state of information security in healthcare we can look to survey information from organizations like the 2020 HIMSS Cybersecurity Survey. The 2020 HIMSS survey noted some of the following key concerns:
- 57% of Respondents noted Phishing attacks as a key concern
- 70% of survey respondents had experienced significant security incidents in the past 12 months
- 20% answered that ransomware attacks were a key concern
The healthcare industry has come a long way in its information security program development in the last few years driven both by compliance concerns as well as the targeting of the industry by malicious actors. But as this survey indicates, the industry has a long way to go. Ransomware attacks are extremely common and have even resulted in hospital shut downs. Even larger established healthcare providers could benefit from proactively working to “mature” their information security programs.
Mature vs Immature Programs
If I could suggest one thing that separates the top programs from those trailing their peers it would be this:
The top programs use a structured, comprehensive and proactive approach to managing information security based on established best practices.
In other words, their approach is programmatic and thoughtful.
Those entities that do the bare minimum, such as a barely passable risk analysis, spend most of their time reacting to incidents rather than preventing them.
Where Are You?
So let me ask you some searching questions:
- Do You have an Information Security Program?
- Do you have a structured, systematic approach to managing the security of your information?
- Can you describe the elements of your program?
- Do you have a sense of how “mature” your program is relative to organizations of similar size and complexity? And is your program a market leader or a straggler?
The Information Security Program Development Guide
To help organizations and individuals that want to upgrade their information security programs, I have developed the 14 page “Information Security Program Development Guide”. The guide provides a methodical approach to creating and managing an information security program.
What are some elements of a good information security program?
- Leadership – Top programs will be led by an experienced information security leader who is either in the C-Suite or has solid executive support from the C-Suite. The program will be aligned with IT strategy.
- Policies, Procedures and Controls – Policies, Procedures and controls are mapped to requirements, align with operational procedures and produce documented artifacts to prove compliance.
- Risk Management – Risk assessments are a part of, and a crucial one, of a holistic risk management program.
- Cybersecurity Framework Adoption – The organization has adopted a security framework.
- 3rd Party Risks – A 3rd party risk management program has been implemented to understand and address the risks associated with business associates and vendors.
- Other factors such as business continuity, training and culture have been addressed.
The Information Security Program Development Guide will provide a roadmap for the steps you need to take to build the kind of program that will be best in class and suggest the questions you need to ask and answer to build a program that works for YOUR organization.
And the guide is free for the taking. Just click here!