Three ways healthcare CISOs can modernize security
By Joseph Davis, Chief Security Advisor, Microsoft
When I start a new relationship with a CISO, I try to make them understand the importance of their role, whether it’s a hospital, a payment processor, a research organization or from a pharmaceutical manufacturer.
Too often, I encounter cybersecurity teams overwhelmed by the complexity of the task ahead. Many are faced with a mix of legacy equipment that hasn’t been updated in years, raising fears that their organization could become the next victim of ransomware or that an incident that begins digitally will end. by becoming physical, causing harm to a patient.
They all know that lives are at stake in healthcare and they play an important and serious role in keeping the organization operational, profitable and safe. It is essential to take a step back and see the big picture: how they can modernize their organizations and bring them into the modern world of hybrid work based on Zero Trust and multi-cloud environments.
Here are four ways security managers can adopt a proactive mindset:
Adopt the role of diplomat
CISOs should bring together people from different departments. Start by building bridges between the IT staff and the security team. It is also important to involve public safety, physical security, human resources and those in management who control budgets. Explain to them that cyberattacks overlap, so security needs to become everyone’s business — it’s not just limited to the CISO and the security team.
Make IT and network staff realize that it’s better for everyone if the organization moves away from legacy infrastructure and adopts tools that can provide improved visibility and communications across the enterprise. Many IT and networking teams have spent years working in their specific areas and have invested time, money, and a lot of effort into learning specific products. Empower them to learn new technologies that can add convenience to their work life while improving visibility across the organization, putting the team in a stronger position to identify, respond and prevent future cyber incidents.
Manage risk appropriately
Health professionals always assess the risks. Before major surgery, the surgeon will perform an analysis and tell the patient that under certain circumstances, there is a 90% chance of having a good outcome. The patient must then weigh the risks and decide if they can go ahead with this assessment.
CISOs must perform the same type of risk calculations on security technologies. They need to ask themselves: what is the risk of compromise and lateral displacement on the network if we continue to use our legacy equipment? What is the likely result of a system compromise? Another possible question could be: what is the risk of having an outdated Electronic Medical Records (EMR) system versus modernizing and moving the EMR system to the cloud? Even though moving an EMR to the cloud is risky, is it in the organization’s best interest to continue to operate an EMR that is nearing end of life?
In healthcare, we find a lot of “analysis paralysis” where organizations continue to study new technologies and never act because they are concerned about downtime and errors during the process. inevitable learning process. What I tell CISOs is to assess the risk.
Take multi-factor authentication (MFA), for example. I have CISOs telling me that it’s theoretically possible for MFA to be hacked. While this is true, I tell them that Microsoft has discovered that MFA blocks almost 99% of all account takeover attempts. Additionally, it takes a sophisticated threat actor to circumvent MFA. Run a risk analysis. I think most people would agree that 99% is an acceptable number.
The job of a CISO is to perform a risk analysis and decide whether it makes sense to maintain the status quo or move the organization forward and innovate with new technologies that will make staff more productive and safer. long-term.
Take advantage of the transition to the hybrid working model
The pandemic has presented a golden opportunity for technology organizations to advance digital transformation projects. Hospitals were inundated with patients and found they couldn’t support the volume of patients with their legacy apps. Medical practices had to find ways to accelerate telehealth, and research organizations and medical distributors had to learn to operate in a new work-from-home setting.
CISOs in healthcare organizations must take advantage of these changes and show senior management that it is imperative to invest and modernize. Explain the benefits of migrating to the cloud, including the cost savings of running a limited number of server farms, development flexibility, and overall staff mobility in the work-from-home model. Cloud technologies provide enhanced security because all their applications are automatically updated regularly and Microsoft Azure for Healthcare offers a “single version of the truth” where all technology departments now have visibility into network traffic. It also offers a platform for increased patient engagement where many live today – on their mobile devices.
Adopt authentication technologies that will drive employee buy-in
When CISOs look to deploy new technologies, I tell them to focus on identity and authentication first. Windows Hello for Business is a good starting point. It replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credentials that Microsoft associates with a device using a biometric code or PIN. Windows Hello will allow users to authenticate with a Microsoft account, an Active Directory account, and a Microsoft Azure Active Directory (Azure AD) Account.
CISOs can also demonstrate how single sign-on (SSO) in Azure Active Directory can save users from having to log in each time they need an application. SSO allows users to log in and authenticate using one set of credentials across multiple independent software systems. With SSO, users can access all necessary applications without having to authenticate using different credentials. Thus, SSO reduces the need for multiple passwords, greatly reducing user errors and misconfigurations by network administrators.
Empower patients. Improving the delivery of health care. Ensure the security.
CISOs must assume a leadership role by bringing together all the disparate strengths of their organizations. Everyone’s seen the news about ransomware and other cyberattacks – and nobody wants to be on TV explaining financial loss, or worse, injury or death from a cyberattack. When CISOs have the tools and the intelligence to see the big picture, I think they will see what a great opportunity is available to them to transform their organizations. We are ready to work closely with CISOs to make their healthcare organizations more productive, engaging and secure.
Access more information about this sponsor here: https://aka.ms/SecureHealth