- The majority of healthcare security stakeholders agree that cybersecurity budgets are underfunded. And frankly, health organizations aren’t keeping pace with hackers who are continuously improving in sophistication.
Data security programs are still often underfunded and understaffed, according to a Black Book Market Research report. The same report found cybersecurity spending falling around just 3 percent of the IT budget.
Hospitals are already challenged with trying to choose the right cyber framework to follow. And there are a wide range of studies and resources, which makes it difficult to determine the right way to plan and finance a cybersecurity budget, explained Shefali Mookencherry, Principal Advisor for Information Security, Privacy and Disaster Recovery at Impact Advisors.
To Mookencherry, a cybersecurity budget can be simplified by breaking it down into three buckets: prevention, detection, and business continuity and disaster recovery.
Prevention should receive the biggest portion of the budget with about 50 percent. Mookencherry explained that should be spent on tools like firewall, antivirus, intrusion prevention systems and cloud-based filtering solutions, among other preventive tools.
But the number of tools will be dependent on the budget amount.
About 30 percent of the budget should be dedicated to detection and response — those solutions that both identify an abnormality or threat and cleanup the issues. Mookencherry explained that will include tools that help understand the threat, along with endpoint detection and response and security information, among others.
“Training falls on multiple departments, so it should be a shared budget across the organization on awareness and HIPAA training.”
The remaining 20 percent of the budget should focus on disaster recovery and business continuity.
“One thing to note here is that it’s all talking about the technologies: I haven’t brought in people. These buckets help outline items to spend cyber budget on,” Mookencherry said. “Training falls on multiple departments, so it should be a shared budget across the organization on awareness and HIPAA training.”
“With HIPAA training, it’s more centered around confidentiality. And the security piece often turns into a technology and IT project, where security concern falls into the cyber budget,” she added. “That’s why we talk about buckets. And with that 20 percent of the budget, it’s critical to make sure the systems are backed up.”
One of her clients experienced a ransomware attack and their systems went down for about 30 days. As most organizations plan for only about 48 hours of downtime, “it’s important to put disaster recovery and business continuity in there at 20 percent,” explained Mookencherry.
Reducing Redundancies, Boosting Efficiency
“Once thing to think about: How do we limit the costs so that I know exactly where the budget is allocated?” Mookencherry said.
Organizations should look at how many security tools are in place on a system and the effectiveness. For example, if the security leader determines the encryption is strong on the network, the money doesn’t need to be spent there. Instead, they might reallocate some of those funds to an intrusion detection tool.
Security vendors are another area that should be evaluated. Mookencherry explained that often multiple vendors are often used throughout an organization. Organizations may be able to shift some of those services to fewer vendors to save money.
“To make sure you understand security is driven into all business processes, look at all the vendors.”
But just how often should an organization assess its vendors and tools?
“Everyone’s situation is of different: posture is different, the environment is different,” said Mookencherry. “It depends on the size of organization. A community hospital with a smaller budget versus a huge health system — the spend will be different. Looking at the number of vendors, it may be more or less.”
“Typically, when you have organizations doing an annual assessment like HIPAA, you’re going to look at vendors once a year,” she added. “What should really happen? To make sure you understand security is driven into all business processes, look at all the vendors.”
During the procurement service and contracting, the legal team is involved. To Mookencherry, the legal team should be involved with other security processes, like materials management and acquiring a medical device.
“Security options should be built into the continuity process and looked at every time a contract is put together,” she said. “At least twice a year the vendor management and security contracts should be reviewed.”
One of the biggest issues for the security team is communicating security budget needs to the C-suite. Not all organizations have security members join those board-level meetings, which means there’s often a chasm between the board and fully understanding security needs.
At the HIMSS Security Forum in June, Allyson Vicars, Associate Director of Health IT Research for the Advisory Board, told attendees that far too often C-suite leaders believe that security is just an IT problem that can be addressed with tools. As a result, they don’t understand the need for the added requests.
Technology is crucial. But governance, C-suite engagement, and third-party risk management can’t be optional.
To Mookencherry, having to explain security needs to C-suite folks who may not be technical-minded can be trying. Those leaders should focus on speaking with the chief financial officer to get them to first understand the cost of a privacy breach of data and personally identifiable information.
“We can’t just say it’s an IT issue anymore. It’s really an organization-wide concern.”
Those details should be combined with the cost of regulations, payments, intellectual property and brand reputation. Mookencherry explained that organizations also have “obligations for trying to understand how you’re going to identify any audits that come along as well.”
Although “the best way to get the C-suite’s attention is when an audit comes through,” she added.
For example, if an audit reveals there’s a firewall issue or security tools missing, there will need to be funding so an organization is compliant.
“We’re so regulated in the US and now we also have an international aspect with GDPR that effects some US health organizations,” Mookencherry said. “Now you have both international and national regulations to add to the asks for the C-suite.”
Consider the two most recent Office for Civil Rights settlements. Allergy Associates settled with OCR for $125,000 for a 2015 incident involving impermissible disclosure of a patient’s protected health information to a reporter. And OCR fined Advanced Care Hospitalists for contracting with an unknown vendor without a business associate’s agreement – and failing to even have a BA policy in place.
While regulations can help secure funding, the other part is patient safety and data center vulnerability, she explained. “If the hospital or data center goes down, how would we bring the system back up?”
Those with data centers will need to have an alternative site to bring a system back up in a disaster. Mookencherry explained that looking at those potential disasters and adding those financial indicators for what that will mean to the budget can help explain the need for funding.
Other objectives to consider? How long it will take to bring the system in case of a service interruption or cyberattack and the length of time it will take to recover data.
“There are different metrics to consider, some of the biggest systems can’t bring up the network for days after a hack, and it can turn into 30 days,” Mookencherry said. “It’s a real big problem for patient safety.”
One organization that fell victim to a ransomware attack had some federal programs come into the hospital and shut down its program, as they didn’t want it to corrupt their data, she explained. “Medicare and Medicaid programs are now cut off, as those organizations don’t want to be impacted by ransomware.”
“Now the CFO is wondering what he can do right now,” Mookencherry said. “Some of the C-suite folks are very aware of what their situation is and may allocate the dollars to put together a stronger security environment.”
“But we can’t just say it’s an IT issue anymore. It’s really an organization-wide concern,” she added.