Healthcare organizations are adding tools without the proper security frameworks in place which is ultimately hurting their NIST scores.
In this first episode, of season 2 of The Risk Perspective, CynergisTek’s Dave Bailey and David Finn (described as “the CTEK Statler and Waldorf”) discuss what has caused NIST scores to decline over the last few years. The addition of tools, trainings, and the overall changes to threat environments are negatively impacting NIST scores. Healthcare organizations are learning the hard way… what was successful in the past, isn’t going to be successful today.
Subscribe to CTEK Voices: The Risk Perspective
Welcome to the 2nd season of CTEK Voices: The Risk Perspective, the podcast that brings you expert insights to today’s hot topics in healthcare cybersecurity compliance, and privacy. Each episode of The Risk Perspective season 2, features an inside listen into the conversations between CTEK thought leaders, subject matter experts, and industry guest speakers who share their trusted risk expertise and perspectives. Subscribe to CTEK Voices: The Risk Perspective on Apple iTunes, Spotify, or your preferred podcast platform. New episodes are released weekly and a transcript of each episode can be found at cynergistek.com.
And now, for the show…
Hello, welcome to the first episode of CTEK Voices; The Risk Perspective, Season 2. I’m your host, Lauren Frickle. As you have probably noticed, season 1 of this podcast focused primarily on responses and topics related to the COVID-19 pandemic. Though we will still cover COVID-19 content, we are shifting gears a bit with Season 2. We plan on exploring the risk world beyond COVID-19.
So, with that, I’d like to roll into this week’s topic, and introduce our captivating guests!
Today’s Topic “A fool with a tool, is still a fool: there are no Silver Bullets”, will discuss just that! We are noticing Healthcare organizations are adding tools to help alleviate new needs, however many of the tools they are adding lack proper security frameworks, which ultimately hurt their NIST Scores. Here to discuss this issue, joining us today are David Finn, and Dave Bailey (AKA Statler & Waldorf, NOT because of looks, but because of their demeanor (you’ll see what I mean in a moment).
David Finn, otherwise known as “Waldorf” is the EVP, Strategic Innovation at CTEK. He is a recovering healthcare CIO, and Health IT Evangelist. He is a former IT Auditor, Security and Privacy Officer, and has two degrees in theatre…Go figure.
Dave Bailey, our “Statler” is the Director of Security Services at CTEK and is the better-looking Muppet… self-proclaimed.
Welcome David Waldorf Finn, and Dave Statler Bailey!
Thank you, Lauren. It is a pleasure to be here, and I am looking forward to this discussion and finding out what we can find out and sharing that with everyone.
Yeah, same here, Lauren, and it’s always a pleasure to talk about risk and cybersecurity healthcare, and just happy that, that I’m here with David and you, to talk about a topic that’s near and dear to our hearts
And that topic is actually the data in our annual report.
Dave mentioned his assessment work here, over 300 assessments, and back in 2018, we published our first annual report on 2017 data years’ worth of assessments across the industry, and that was called improving readiness, or meeting cyber threats. And that was the real easy report because it was the first year, we’d ever collected data against the NIST CSF, and the HIPAA Security Rule. And, and we figured it was going to be interesting. There was great demand for it. So, in 2019, we published the report on the 2018 data, and ran the comparison, and that report was called “Measuring Progress, Expanding the Horizon”. And in 20 20, we’re going to publish a report on the 2019 data, and it really is about setting direction, which seems appropriate somehow after the year. We’ve been through, in, in 2020, with COVID, and, and all that.
This is an opportunity to reset ourselves as cybersecurity professionals in healthcare and move forward. And it was interesting, because Dave mentioned, he’s, he’s involved to some degree in almost every one of the assessments, in fact, every one of these assessments and I kind of get the data at the end of the year and start looking through it and so, that led to some interesting findings.
Now that we’ve got three years of data. And I will just say that is a non-trivial amount of data, all the assessments, over roughly 300 assessments at physical facilities each year over 100 customers each year and all their facilities. And, and so now we are getting some perspective on it, and the thing that surprised me, and I’m going to turn this into a question for Dave, is he sees this coming in, and he kind of knows what the end of the year is going to look like. I get it at the end of the year, and I was very surprised to see that scores overall went down.
They went up from 2017 to 2018, and I was expecting from 2018 to 2019, they would go up.
But we actually declined, and, so, I’m going to ask Battler here, what, what the **** is happening?
Well, no. This is it’s, it’s really actually a great question and great perspective.
I want to start out by just adding some context before I give my answer and first of the context is this:
The NIST CSF now in 2019, after all these assessments, when we started this new CSF journey back in 2017, it really is fully adopted in most cases. It took us a lot of convincing in 2017 with our clients in order to say, listen, this solely, HIPAA focus that we’ve had insecurity. How do we move beyond that? Because, as we all know, if we only focus on the rule itself, it really wasn’t the best indicator of what is required for an overall security program.
How do you put your organization and the best chance to mitigate the risks that you have? And the NIST CSF really is the foundation and framework in order to do that, beyond just focusing with the rule.
So, when we looked at 2017, we started to get buy-in, 2018, much more buy-in, and by 2019, we were in full swing with doing NIST CSF Assessments. So, every client, while we were doing them, you know, they started to get an understanding of what was required for the NIST CSF because, you know, what we evaluate. Not only do we look at all the 23 control areas of the NIST CSF, but you know, all the subcategories. You know, we’ve come up with an assessment that we feel does a very good job of looking at an organization’s security program.
It also looks at their technical capabilities, how well they build things, secure things harden things, and really how they operate and maintain their infrastructure.
So, now, to get to David’s answer, which is, you know, why is this so bad, and why are we seeing what, what we’re seeing?
You know, a lot of questions that we get is, is the goalpost moving?
In reality, yeah, the, the goalpost is moving and, and while the framework is generally the same, and there have been changes between NIST versions, 1.0 and 1.1 (and I can get into those changes) But, yes, there are changes there. But the reality of it is, the goalpost is moving. What is required in order to address today’s threat in order to address the risks?
You know, that dial is getting turned up year over year. And as we use the NIST framework to evaluate a program and you get to know, and, and a program gets to understand what all is required of that. What we’re finding is, you know, what it is, it takes a lot of, work. A lot of energy and effort that goes into mitigating risk and doesn’t necessarily translate that. You’ve matured your program from a process perspective.
You may, you may have mitigated the risks you needed to mitigate, but it doesn’t mean that you became more, you know, more effective. The technology is changing. The organization’s business models are changing, the need and requirement to be more agile, to do more with less (and I know I’m throwing out a lot of business phrases), but it’s true, it is there a whole hard reality that, in order to keep up, you have to invest, You have to buy technology, You have to implement technology. And, and in order to do, that doesn’t always mean year over year, that you are becoming more effective in a process. So, you know, once again, this is all the risk game.
Well, you kind of answered the question that I had, when I first got the data, because, with the move to NIST 1.1, I thought we’d see a big decline in identify with supply chain and authentication changes.
Because we went down and conformance overall about 2 percentage points from, from 2018. In fact, we’re down from 2017, But I thought that was all going to be in identity. But I noticed as we looked at the core elements, we were down and identify. We stayed even in detect, and then we were down slightly in response, and recover.
So, it just saying the changes in this 1.1 is what caused the decline.
Yeah, definitely, and I just a couple of comments on, on the supply chain side.
I mean, most organizations, from a pure security risk perspective, they have processes that allow them to evaluate a piece of software, evaluate, you know, some vendor that they want to bring into their organization.
Not all of those practices are formal.
Not all of those practices necessarily fit for every, you know, size, shape, or, type of vendor. But, for the most part, we see that practice within a security program. But when you really look at the supply chain component, it starts to look at things much larger than just the IT risk component of things. And, that was a shock to some organizations because it really looks at how, what is the methodology that you’re using to choose vendors? What type of risk and how do you associate that risk within your overall risk management program? And, and not everyone has, all of those programs, you know, they’re doing aspects of that but they’re not formalized, they’re not 100% effective and that’s why we really didn’t see a lot of organizations that scored, from a formal and affective component, you know, within the supply chain.
The other thing that I want to say about the protect component is and let’s not even talk about formalize scores. Let’s just talk about the blocking and tackling that needs to be done. There’s still healthcare organizations today that have to address unencrypted removable media. They have to address the ability to use personal devices.
One of the best phrases I’ve heard, this year is everyone talks about BYOD, but I just heard the Bring your own Cloud acronym, and it’s so true because it’s not just about. Can I use my personal device? It’s about all of the cloud technologies that folks have access to.
How you enable Those, how you allow, non-organization owned and managed devices to interact within your environment, and what controls do you put around them?
So there are so many blocking and tackling things that have to have to take place that, you know, what we’re seeing in 2017 that threat and risk has changed in 2019, and certainly now, once COVID is here, we can’t stress enough that if you approach your program the same way you approached it last year and this year, Then you are behind.
It’s that simple. You really have to be looking at, what does it mean that all of this world event has happened? What does it mean with the new threat landscape, and how do I need to adjust and adapt my programs?
You raised an interesting point.
The bad guys don’t stop.
No one comes in and assesses the bad guys and says, here, you got an A this year, and a B in this.
And, I know you and I have talked about this many times, our customers get a little too focused on the score, and not what the real job is. Any thoughts about that?
The score in some cases, is a necessary evil because you can use it as what they call a common language.
How can I look at an assessor methodology over an entire industry and come up with some commonality and trend? So, you know, using a score methodology to look at someone’s process, is a valid approach. But ultimately, what this comes down to is, is an organization’s ability to manage risk.
And, one of the things that we have recognized, certainly, over the, over the years of doing these types of assessments, that, you know, while we do believe it’s important, we’re even changing our focus and approach with clients to not necessarily negate the maturity score, but maybe de-emphasize it in our in our way that we present data back to an organization. Because, ultimately, while the while the average and the trends show meaning, it isn’t the full meaning.
And it doesn’t mean that work is an accomplished. It doesn’t mean that cybersecurity needs to be on the forefront, it means that the threat landscape is changing. It’s changing at a rate. I will tell you right now, that is much quicker than someone’s ability to go from 2 on the Maturity Model to a 3,
So, those are things that I think overall, we, are really trying to change even our approach in 2020 to really focus the energy and effort on the assessment with risk and making sure that a client understands it is ultimately about mitigating their risk.
Yeah, that’s a great question, Dave, and I want to give you a couple of examples here and get your feedback.
But I think the important thing here, as you mentioned, is, you want to track your progress. You want to make sure you’re getting better, because it’s like you said, if you’re not getting better, you’re actually getting worse.
Just doing the same thing over and over doesn’t help.
But now that we’ve got three years’ worth of data, it was interesting to go back and look. And yet, I saw an overall decline in the industry.
So, I looked at a couple of specific examples.
One was a small community hospital. They went through the process with the 2017.
Not happy scores, and, they made a commitment at that time to, they hired a CISO, they staff, their Security Department (not what they wanted -I’m sure) they went after policy and procedures, and over three years, they came up by 60 points on our measure.
And this is a small facility. They, they didn’t break the bank getting there. They just did the basics.
On the other hand, we had a large medical center that was doing pretty good, had good scores, solid performance, and, over the course of two years, added, a number of affiliates, and, they went backwards.
So, the message for me on the, on the small community hospitals is if you actually put a plan in place and work, that you’ll get better.
But what’s happening in bigger places where they’re doing at least the same stuff and falling backwards?
Yeah, no, I think, I think we’re, you see the unfortunate reality with measuring progress. It highlights like the larger medical center example highlights the need for an organization to integrate cybersecurity into their overall business, strategic plan.
And knowing that, hey, if we’ve come this far and we’ve progressed over the years to develop a program that’s able to mitigate our risk at a certain level, now we’ve changed the business. Not only are we changing the business, that drives new trust relationships, it drives, you know, different places the data flows and moves, and now my PHI, not only outside the EMR, but it’s flowing through different partners, different vendors, their vendors, and suppliers. And, you know, we’ve really changed the ecosystem.
And, and unfortunately, sometimes that needed change in a business in order to survive, (and I’m not sitting here trying to say, tell the business not to do that), but sometimes, it takes a little bit of time at a slower pace, in order to catch the program up, and to make sure that all the appropriate safeguards are in place in order to make all of those processes effective.
So, you know, the closer that the cybersecurity risk alignment can be involved in the business alignment. That gap gets closed a little bit, and, you know obviously, just like anything else, you know, the security professional in me would like to say that, you know, we’re in front of that, of that charge, but that’s not always the case.
And, you know, we, we have to learn, and we have to be able to adapt to the realities of business, and, you know, business changes. New partners, new affiliates, new relationships, new ways that you have to be able to survive and provide the best patient care that you can will ultimately change your risk profile.
It wasn’t a it wasn’t such a sky is falling message to the organization, but it was a reality that, you know, hey, we’re doing the right things, but we may have to take a few steps backwards in order to go forwards.
So, are you saying something crazy?
Like progress isn’t always a straight line, but you still have to keep getting better?
You still have to keep getting better.
And just because you go backward doesn’t always mean it’s a bad thing.
However, it is the reality, in today’s industry. I mean, I can shout at the rooftops like most security professionals do here, all the things healthcare industry is behind, you know, we’re not keeping up with, with pace.
I was just asked a question by another leader, and one of the leaders, basically said, you know what, why is it so bad? And, you know, is it the fact that we don’t have, you know trained professionals?
And in my answer is, you know, 99% of the time we go in and talk to security teams in hospitals.
They know exactly what to do. They have a pulse on what are the issues in their organization what risks they need to address? It’s really a business discussion.
It all comes down to how can they, how can they take their program, take their risks, integrate that into an overall business strategy? Because, you know, what? There’s not unlimited dollars, there’s not unlimited people, and they’re going to have to integrate and, convince their organization to make appropriate investment.
And, yes, the security professional, me says, give me all the money and people that I need
So, they have to do, you know, they all know what to do, and the ones that have success have, built a program and the relationships to be able to write a line, like align those risks, discussions when it comes down to the budgetary decisions to the Board updates, you know, to the ability to say, you know what? The organization has $1, how do I spend it?
And, you want to be able to say, you know what? Yeah, we’re going to take 50 cents of that dollar, and we’re going to put it here to address this risk.
If not, you’re going to have to accept the risk and come up with, you know, other ways that, in the long run may hurt you.
You may either ultimately cause harm to a patient. or you may introduce larger financial risk, due to some large cyber event.
I suspect Lauren is getting ready to knock the stuffing out of these two old Muppets, but it does remind me, in your point, is well taken.
It reminds me of when I was the CIO and, my job was to fix everything in the organization as the IT guy in the security guy.
And it really does come down to the fact that these are not IT, nor are they security risks.
These are business risks. When, the EMR is ransom, when the, the system goes down, or the data centers out, those are not IT or security risks. There’s plenty of work for IT and security, but the business can’t function, you can’t take care of patients who can’t drop bills, you can’t communicate with patients coming in, or patients who are in house.
And so, it really needs to be the entire C-Suite supporting the CIO and the CISO in making these things happen.
And some of the great stories and certainly success stories that, you know, that we can point to is, you know, many clients that have had great successes with, with moving their programs forward and, being able to interject into their leadership, the importance they’re able to talk about the patient.
It goes back to patient-centered discussion. Why is it so important that we need to mitigate this risk right now? Because there’s a potential that we could have some either disruption in care delivery, some patient is diversion, you know, something where we are interrupting our ability to care for that patient.
And when you can put it in those terms, generally speaking, you have a greater success in order to get the dollars, get the money, get the, you know, get the things that you need versus trying to go in and sell the widget.
And with that, I’m going to give it back to Lauren and let her get us out of here.
Alright, there you have it, folks, straight from the mouths of CynergisTek’s biggest healthcare risk critics.
Thank you, Dave and David, for joining us, and thank you all for listening!