For some reason the latest strain of Malware, named WannaCry (See this link to the Sophos web site for helpful information) has really caught the attention of national news media even though it is hardly the first of its kind. It is a unique strain, but it seems like they usually are these days. Possibly, the news was a bit slow over the weekend or possibly, the world is finally waking up to the fact that these security exploits can cause significant harm and financial loss.
If you are an executive or IT leader in a small to mid-sized healthcare provider organization, it can be overwhelming to prioritize all of the competing demands for IT dollars and time. Security has become one of those items that is impossible to feel good about because it is a pure drain on resources (time and money) and it seems that no matter what you do, it isn’t enough. Sucks to be you.
Ok, now that we have that pity party out of the way, let’s focus on positive actions that can be taken. Start by acknowledging that it is a very real and necessary cost of doing business, just like toilets, electricity and fire alarms. None of these things really advance the objectives of the organization, yet we have to have them to keep the doors open. Then I might suggest that you consider when it comes to toilets, electricity and fire alarms, how seriously you take the condition and the testing of those systems in your organization. My guess is that most of you have very stringent operational standards for each of these even though they don’t move the needle on the business. Finally, ask yourself if you feel you give the same disciplined, best practice-based attention to security and emergency preparedness with your IT systems? If you aren’t sure, then you probably have your answer. If you think you are sure that you do, I would ask, “how do you know?” Chances are if you can answer that, you have done well to prepare yourself. If you can’t, there is some work to do.
I believe you have no choice but to begin to go about the implementation and testing of security technologies and management disciplines in much the same way we install and test a fire alarm system. A primary difference being, you have to acknowledge that fire hasn't changed over time, but security threats are constantly changing. So the need for testing, updating and disciplined action is tenfold. These aren’t things we leave to chance or some Internet sales promotion. There are industry best practices and there are industry experts who do this for a living. Providers like yourselves need to engage these resources in a meaningful way if you are going to have a fighting chance of deploying the right systems in the right way. You also need to have external experts audit those systems because validating your own security practice is a bit like proofing your own writing. It’s very difficult to see your own most common mistake because if you don’t know it’s a gap, you won’t see it. You might even find that the right experts are able to help you find economical ways to approach the security discipline effectively. Once you have those best practices established, then it’s critical you establish the regular maintenance and testing routines to keep our security systems at peak performance and that can either be assigned to your team on site our outsourced to a managed service provider. Either way, it must be vetted and tested routinely.
If you have questions on how to approach these best practice disciplines, give us a call. In the meantime, here are some resources to get you started:
- NIST Cyber Framework
- HHS ASPR, the Technical Resources, Assistance Center, and Information Exchange
- ICE Technologies Knowledge Center (choose to filter by topic: security)