What GreyCastle Security Learned at HIMSS Chicago 2023

Posted April 26, 2023 | Bennett Van Wert, Cybersecurity Solutions Advisor, GreyCastle Security

Being back in person this year for the annual HIMSS Conference was an eye-opening experience! There were countless vendors discussing the complex cybersecurity challenges facing the healthcare industry. As always, vendors have no shortage of fresh solutions that may or may not solve all healthcare cybersecurity challenges, depending on whom you ask.

The reality is that selecting the right solution today isn’t any different than it was last year or even five years ago. Regardless of the technology behind the solution, what is most important is how much value it provides to you and how much it helps solve current (and future) cybersecurity challenges. If there’s one thing we know, technology alone doesn’t solve the significant cyber challenges we face today.

Our Top Takeaways

1. With all the vendors and all the solutions they offer – how do you find the right ones for your organization… right now?

- Prioritize with Risk: Figure out what cybersecurity challenges are most impacting your organization and prioritize solution selection accordingly. Conduct a risk assessment to identify organizational threats and vulnerabilities and work with leadership to understand the level of impact these may have on your operations. It isn’t always obvious which systems or business areas generate the most revenue or supports critical patient care. You need the right people in the room to draw solid conclusions. Once you understand these factors, and the potential pitfalls affecting your unique situation, you can more effectively evaluate solutions.
- Include the Right People: Determining the right cybersecurity solutions should never be left to any one single business department. You need to include a mix of administrative, technical, and leadership representation. It is important to consider the operational impacts and relate that to how the business may be impacted financially, legally, and in its ability to provide patient care. Bringing these groups together, quantifying which assets are the most critical, and understanding how the organization uses them will go a long way in selecting the right solution and obtaining funding.
- Build a Solution Requirements Checklist: It is easy to get excited about all the shiny objects and people that want to help, but when it comes down to getting the most value for your time and money you need to be able to effectively evaluate between what you need and what you’d like to have. Make a list of top needs and evaluate solutions against how well they address them (or not). This method, while it may seem obvious, really helps avoid using emotion to make decisions.

2. Experience in and knowledge of healthcare doesn’t seem to be a core competency of most security vendors or software developers. This doesn’t mean they don’t offer good solutions, but you may be able to find vendors that offer more value if they understand and specialize in the healthcare industry. Think about these three topics as you evaluate solutions:

- Human-Led Knowledge and Experience are Key: Look for security solutions that are designed and managed by experienced cybersecurity professionals who understand the healthcare industry.
- Healthcare-Specific Solutions: Look for vendors who specialize in healthcare security solutions and have a significant understanding of the regulatory environment and unique challenges facing the industry.
- Ongoing Support and Education: Choose vendors who offer ongoing support and education to help your organization stay up-to-date with the latest threats, industry trends, and best practices. They should then use that information to help make their own solutions better over time.

3. Interoperability is especially important when evaluating potential solutions. There are many solutions and many vendors supporting healthcare, and interoperability is not guaranteed. Neither is security.

- Interoperability is Crucial: Look for solutions that prioritize interoperability and work seamlessly with other systems and vendors to ensure maximum security.

- Security is a Shared Responsibility: Recognize that security is a shared responsibility across all vendors and systems. Choose vendors who prioritize security and are willing to work collaboratively to ensure it.

- Conduct Regular Security Assessments: Regularly assess your systems and vendors for potential security vulnerabilities, and work proactively to address any issues that arise. In many cases, resolving security vulnerabilities requires the coordination of multiple parties, stressing the need for interoperability and communication.

4. Automation and Artificial Intelligence are everywhere and seem to be prominent buzzwords. It is important to know that you don’t have to understand AI to evaluate if a security solution meets your needs and provides value. Refrain from trying to understand how AI works and instead focus on the outcomes. In the end, it doesn’t matter how it is done. What matters is your top issues (see Prioritization and Risk Assessment above) are solved and are cost-effective. Remember, you’re looking for how these underlying processes provide value.

- Automation and AI can Help Streamline Security Processes: Automation and AI can help healthcare organizations streamline their security processes and free up staff to focus on other critical tasks. Make sure you see how much these new offerings are improved over existing platforms before making the investment, and understand how much time they’ll take to maintain.
- Automation and AI can Improve Accuracy: Automated security processes can help reduce human error and improve accuracy in identifying and addressing potential threats. Make sure you see what the solution provides and ensure you see it as being valuable to your needs.
- Automation and AI Require Careful Planning: Implementing automated security processes requires careful planning and consideration to ensure they are effective and don’t introduce added vulnerabilities. This is true of any technology and is certainly true of automation and AI.

5. One thing is clear – there is no shortage of vendors supplying security solutions. In addition, of all industries healthcare has one of the highest numbers of 3rd parties supporting their operations. This makes managing vendor risk difficult. However, there are some key activities that can help focus your limited time and reduce vendor risk:

- Establish a Method for Quantifying How Risky a Vendor is: All vendors have some level of risk, but not all present the same level of potential impact. It’s important to establish a clear and measurable way to score a vendor so that everyone understands how much risk they are introducing. This will help you spend the right amount of time developing reasonable security controls to limit risk.
- Identify What Information Assets Vendors Have Access: One especially vital component of understanding how much risk a vendor may have is understanding what information assets they have access to and understanding the level of risk associated with those assets. If a vendor has access to a significant amount of extremely sensitive data (usually PHI), that will likely classify them as a high-risk vendor. Conversely, if a vendor had zero access to sensitive data, this would likely put them in a low-risk category. One thing that will help greatly in this activity is to have a way to formally classify your data and inherent risk ratings, generally defined in a data classification policy.