Thank you for Subscribing to Apac CIO Outlook Weekly Brief
Editor's Pick (1 - 4 of 8)
Cyber Security - Integrated enterprise approach required to address the multifaceted challenges
By Sumit Puri, CIO, Max Healthcare
When an attacker attempts to directly compromise the software of a supplier, it is a particularly difficult attack to defend against. Once the software is infected, it is signed with the manufacturer's certificate, meaning any receiving systems checking for valid certificates may potentially become exposed. Attackers may also choose to target cloud-hosting services. Websites associated with the host may become infected and spread that infection to other organizations along the supply chain. Because healthcare has such high exposure to third-party services and business partnerships, it faces a high degree of exposure to these kinds of attacks. There is growing recognition in the healthcare industry on the importance of protecting patient data which is the bedrock of enhancing trust and patient safety. In order to help and meet these significant challenges, healthcare organizations should view cybersecurity as a business risk rather than just a technical challenge and address security issues at the board level on a continual basis. This recognition signals a shift to a larger business level transformation with progressive organizations moving from a narrower, compliance and HIPAA focused approach to a more comprehensive enterprise level data security strategy. The key steps to enable an integrated security strategy can be as follows– 1) Socialise the risks and inform users - As per most reports, while most large enterprises are fairly well covered on perimeter and network security, internal data breaches from employees are the weakest link in enterprise security. There is an ongoing need to educate employees across the organization to be cyber aware and provide training according to their roles and responsibilities. Online user-friendly modules on security aspects with annual enrolment of all employees shall be beneficial to help everyone understand the key dos and don’ts and socialise associated perils of potential cyber security breaches. 2) Hire right personnel and build integrated team with adequate business participation - Focus on hiring and retaining qualified IT security staff who can work with nominated representatives of key business functions to protect sensitive data. It is recommended to nominate a senior business or compliance representative as a Chief Data protection officer to ensure dedicated focus on potential data security risks. Within IT function, there is also a need to share security standards with suppliers and consider security implications when purchasing medical equipment, IT hardware, or software. 3) Monitor emerging security threats and buy necessary tools to protect the enterprise – It is imperative that ongoing security threats are monitored carefully and wherever necessary, requisite tools for data loss prevention, end point monitoring and encryption, advanced threat prevention etc. are procured to reduce organisational risk. 4) Strengthen data security policies and set up integrated Incident response team – In spite of best efforts from security team, there will be instances of occasional security breaches and /or zero day attacks. Hence it is important to form integrated incident management teams and strengthen cybersecurity incident response protocols with the data security team being empowered to seamlessly work with users, IT infrastructure and application vendor teams in a boundary less manner. 5) Set up Security Governance framework to assess and manage internal security preparedness – Unless we measure security aspects, it is difficult to manage the risks. It is therefore critical that IT teams speak business language to share potential security risks and scientifically compute ROI on IT security investments. It is also important to create an IT Security metrics framework with metrics on data patching status, anti-virus compliance, penetration and vulnerability threats especially for external internet facing sites, level of data breaches reported, coverage of internal employee awareness trainings, compliance status etc. These metrics should be reviewed at least monthly to drive better understanding of security preparedness, compliance and progress at an enterprise level. Organizations that incorporate steps such as these into their overall cybersecurity frameworks shall be best positioned to successfully navigate the challenges that await. Some of these suggested practices will help facilitate a security culture and develop an agile, comprehensive and effective cybersecurity posture for the healthcare community. In conclusion, it is essential to increase organisation wide awareness and raise the emerging security risks at board level, to remain vigilant and continue to layer new forms of cyber security protection to prevent your network from exposure to cybersecurity threats.