Hospitals operate in a challenging environment: relationships with insurers, state as well as federal rules and regulations, staff shortages, emerging treatments, new clinical technologies, and the need to manage a whole range of suppliers and stakeholders. The complexity and importance of these inter-dependencies means hospitals need a sound multi-year strategic plan to make sure they are properly addressed.
The hospital strategic planning process is led by the board but needs input from a range of stakeholders including clinical teams, quality and regulatory experts, patients, and functional business units. This process should revolve around business benefits, both short term and long term, with an emphasis placed on those investments most likely to deliver compounding returns and exceptional patient care.
There’s a mutually dependent relationship between the hospital’s strategic plan and its functional business units. The IT policies reflected in the strategic plan should demonstrate how technology will cost-effectively support the hospital’s aims, objectives and initiatives; while the cybersecurity doctrine reflected through strategic planning should describe the hospital’s security policies, practices and controls, as well as the hardware, software and network tools to implement them. All components of the strategic plan should be updated at least annually, but in practice need to be living documents — regularly maintained to reflect changes inside and outside the hospital.
Cybersecurity Strategic Planning
There are several frameworks that help with planning and implementation of cybersecurity, both on the strategic and tactical level, but the HITRUST Common Security Framework is particularly useful since it's based on ISO 27799 (Information security management in health) and incorporates best practice standards and guidelines like NIST SP 1800-8, COBIT 2019, and ISO 80001 (risk management for IT-networks incorporating medical devices).
Ownership of the cybersecurity aspect of the hospital’s strategic plan will most likely belong to the CISO, but he or she will need to work closely with the CIO. The CIO’s primary focus is to ensure the deployment of reliable information technology and systems that allows clinical and business teams to meet their strategic and operational objectives, while the CISO has a narrower but no less important role: contending with fast evolving cyber threats, building a cyber-aware culture, and ensuring the hospital can quickly respond to a breach.
Both share a common objective: persuading the board to release funds to support and advance the strategic plans.
CISOs Need to Talk Business
CISOs can be on the back foot when it comes to pitching to the board since many have a background in operations, where problem solving capabilities rooted in technical knowledge is preferred to ROI calculations and “corporate vision.” Someone who rises to the rank of CISO has excelled in that capacity and refined that skill set. Now, suddenly he or she is put in front of the hospital’s board of directors only to be betrayed by that same skill set.
A board of directors typically works very differently than an IT department and that difference carries through to the way its members think. Even more pointedly, that difference is expressed in the way people speak within the board room. Speak to an Italian in French and, more often than not, you won’t get very far. The same principle applies here. For best results, CISOs need to learn to speak the language of the board, the language of business. Unfortunately, they don’t always make the leap.
When board directors were asked to rank the quality of presentations they receive, CISOs ranked bottom. The lesson? CISOs need to realize cyberthreats aren’t just technical challenges to be overcome but represent critical business problems that need to be communicated in language the board understands: risks, opportunities, dollars and cents.
The problem with appealing for budget to support cybersecurity initiatives is that unless the hospital has already suffered a breach, arguments tend to feel conceptual — making them hard to justify against more manifest needs. Some CISOs joke about fighting tooth and nail for shoestring budgets to pursue cybersecurity basics before a breach and being flooded with funds after one.
There is truth to the joke and the change in attitude from day zero to day one can truly be striking. But CISOs can’t simply wait to be attacked to push their agendas forward. Who is to say that your first cyber attack will simply graze you rather than strike a major artery, so to speak? The fact is that many CISOs won’t survive that first encounter. Fairness notwithstanding and regardless of whether the board extended the necessary support for effective remediation, the person charged with ensuring cybersecurity makes an expedient scapegoat.
Bottom line, complacency is just not a viable strategy. Which is why CISOs need to find new ways to arm themselves, not just in the cyber trenches, but in the boardrooms. If you’re not availing yourself to every possible argument for investing in cybersecurity, you’re liable to find yourself underfunded, under-tooled, and under siege.
This means that after you’ve charted, built, and refined your healthcybersecurity agenda, you will need to advance it on the basis of business benefits — translating technical requirements into business needs and championing their operational integration. Here, by necessity, the focus needs to shift away from loss prevention — which is hard to quantify (how do you count what didn’t happen?) and harder to appreciate — and toward measurable gains.
The best thing the CISO can do is root the argument for improved cybersecurity in the business benefits conferred — even if those benefits are mostly ancillary from his point of view. In so doing, a conscientious CISO can not only ensure that he or she will be heard by the board, but that the cyber agenda will be holistically built into the broader hospital strategic planning process.
To some degree every hospital is different, but a robust cybersecurity plan will deliver immediate business benefits in a number of ways. For the purposes of this article, the focus will be on 3 areas that are common to all healthcare operations and around which a business case can be made without much room for push back.
These benefits provide a good foundation for you to build on and that can win you some social capital to take forward. Use these as a sort of foothold through which to expand cyber awareness, appreciation, and planning in the minds of the board.
Streamlined inventory management reduces costs, improves operational efficiency
Hospitals are under tremendous pressure to adopt the latest technologies to stay competitive, improve efficiencies, and drive down costs. In this environment, improved inventory management offers perhaps the most accessible path to reduce overhead and shorten patient turnaround times without compromising the integrity of care.
We’ve all been there. You have somewhere to be but you can’t find your keys. You’re stressed, you’re flustered. You flip through your house in a panic and after 15 minutes you find the keys and you’re on your way. But you’re already upset. You’re late, you made a mess, and now you’re distracted as you apply yourself to the task at hand.
Now imagine that you have 12,203 keys and they all fit to different locks. And you’re not just trying to remember where you left the one you need, but you need to know where any one of your 300 colleagues may have left it. In a nutshell, that’s the inventory management challenge facing hospitals.
Tracking systems are used, but they are often rudimentary and rely on manual data entry and updates to remain accurate. Others are too complicated for their own good. Asset tagging (using bar codes or RFID tags, for example) is useful but cumbersome. Clinicians, or the IT team, are left to turn equipment upside down to find model numbers or struggle to read serial numbers written in 3-point text, meaning a manually maintained inventory is often outdated.
When hospital equipment is misplaced or its whereabouts are not precisely known, hospital operations slow. What’s more, the stress associated with tracking down devices can spill into other aspects of the operation and potentially disrupt or otherwise adversely affect care.
To alleviate these pain points, hospitals rely on a simple solution. Maintain excess supplies so that they don’t need to be managed quite as tightly. The problem with this solution is 1) it’s expensive, 2) you create a lax culture of oversight and accountability that will ultimately hinder your operation, and 3) you begin to lose sight of your actual needs, making smart strategic planning even more difficult.
Being able to quickly identify where a given piece of equipment is when its needed allows to reduce your overall inventory requirements and increase efficiency. At the same time, knowing what new requisitions are needed and what aren’t is critical to a smart, business-improving decision-making process. It’s also essential to a well designed and managed supply chain.
In the 1960s, Toyota pioneered improved inventory management methods as the foundation of its Just-In-Time manufacturing model. In other words, they put highly accurate inventory management at the center of their strategic planning process.
The move paid off big time. The company produced historical profits and kicked off an evolution in business management practices that has reshaped the global economy.
More recently, Amazon set new standards first for internet and then for general retail success thanks to peak inventory management. At the turn of the millennium, Amazon built its online book-selling empire through a unique business model that more directly paired supply to demand. This removed a great deal of the holding costs and many of the inefficiencies associated with demand anticipation guess work.
Later, when the company branched out to sell a much wider range of products, they built their own innovative inventory management system and were among the earliest adopters of automated retrieval robots in their order fulfillment centers.
The result? Amazon is today the largest company in the world in terms of market capitalization – thanks in very large part to its strategic attention to inventory management.
Of course, neither Toyota nor Amazon are hospitals (though Amazon is making a much talked about move into the healthcare space), but they are brands that most members of your board will respect and whose proven strategies they’ll be eager to emulate — making inventory management an ideal place for you to plant your cybersecurity flag.
A firm grasp of medical device and clinical asset inventory management will inform on maintenance and security patching schedules — ensuring that servicing occurs before problems arise. Equipment utilization will improve, and money will no longer be wasted on excess inventory. Vulnerable or ineffectual equipment will be quickly identified, pulled from operational circulation, and repaired or decommissioned. This will, in turn, increase process efficiencies, limit liabilities, and reduce energy spend. It will also give you greater insight into what tools your staff leans on, to what extent, and when. Information that speaks directly to strategic planning.
Because of this, there's a trend towards using connectivity to provide device data which, when combined with analytics, can pinpoint problems. Leading medical network security solutions are more comprehensive and accurate than most incumbent medical inventory management systems.
Monitoring data flows improves server provisioning
The volume of data collected by hospitals has grown exponentially with the use of electronic patient records and real-time data from medical devices and, as a natural consequence, the amount of services and storage needed has had to keep pace. While the cost per gigabyte of raw storage continues to fall, organizations still battle with high operational costs and security & compliance requirements, and the CISO needs to show they have a hand on the current situation and a plan to resolve specific problems.
Server provisioning is fast becoming a consideration and often a challenge that enterprise organizations need to plan for. Hospitals are no exception. The networks that cybersecurity solutions monitor can also provide improved visibility into the server-based data centers through which those networks run. When we talk about improved network visibility, we’re talking about gaining better insights into node, workflow, service, application, and endpoint interactions. That information isn’t only relevant from a security perspective, but can be used for resource allocation mapping and planning. A good security solution will also deliver improved server load visibility.
Network monitoring and traffic analysis data makes it easier to understand and predictively model your data requirements. Are you are under-loaded relative to server capacity? Are you likely to be overloaded under high demand conditions? This information gives you more foresight and more flexibility when negotiating the terms of your server provisioning.
Decision makers may suddenly find themselves armed with the data needed to make the move to a hybrid computing model, for example — saving money and improving resiliency with contracted elasticity. A hospital could even conceivably introduce new revenue streams, selling excess capacity through multi-tenancy arrangements.
Either way, the point is that better data flow visibility can translate directly to actionable and monetizable business insights.
Smart cybersecurity tools allows healthcare organizations to demonstrate compliance, on demand and without hassle
Cybersecurity regulations in the healthcare sector are tough and likely to get tougher. Aside from HIPAA and the closely related HITECH regulations, there’s also FDA requirements to consider. The FDA regulates medical devices, imposing general safety and effectiveness standards, with particular attention paid to heavier duty equipment, such as MRI or X-ray machines.
Within these regulations, there is a class system. Most medical equipment falls under Class I designation for compliance and regulation — requiring general standards of upkeep. For Class II or Class III designated devices, however, these standards become much stricter, more involved and more financially cumbersome, without some sort of automated cybersecurity assurance in place. If equipment breaks, malfunctions, or is otherwise rendered unreasonably dangerous, a hospital can face serious fines and other penalties from the FDA.
In a similar vein, with connected infrastructure vulnerabilities in mind, the Joint Commission and the Centers for Medicare and Medicaid Services (CMS) have also moved to require much higher levels of medical device monitoring and maintenance.
And oversight is likely only to get more intense. There is legislation is moving through the US House of Representatives that, if adopted, would require recommendations (such as increasing the security and resilience of medical devices) made by the Health Care Industry Cybersecurity Task Force last year.
Worryingly for the CISO and the Board, a breach of HIPAA regulations could result in fines ranging from $100 to $50,000 with a maximum penalty of $1.5 million per year for each violation. And for anyone who thinks fines are an idle threat, think again: several healthcare providers have been fined more than $2 million, and the highest fine (so far) has been a stellar $16 million.
Somewhat ironically, adhering to the strictures of a given regulation isn’t the tricky part of compliance. That distinction belongs to the process of demonstration. To make regulations enforceable, there need to be penalties for non-compliance. But with anything complex, it’s neither quick nor easy to tell with certainty if compliance was met, and you’ll understand if regulators are reluctant to simply take your word for it. Instead, there’s an auditing process.
Just like if you were audited by the IRS, the speed and ease of the process depends in large part on your bookkeeping. If you keep clear and comprehensive records, you can simply hand them over and wipe your hands of it. If you were lax in your record keeping, you’re going to be in for a world of pain retroactively reconstructing a granular account of your financial dealings.
The same principle holds for pretty much all compliance requirements. An applicable monitoring and management solution puts the proof in the pudding and makes compliance demonstration simple, without adding any costs. From the console of any decent networked medical device security solution, for example, you can produce an organized audit trail for compliance, inventory management, and incident response purposes in just a few clicks.
Some best-in-class solutions even integrate with high-end compliance tools to streamline the process, enhance insights, and optimize outcomes. CyberMDX’s solution, for example, can be plugged into Clearwater Compliance’s IRM | Analysis™ algorithms to facilitate an OCR-quality Security Risk Analysis on the medical devices, as well as to implement and document remediation actions.
It’s worth noting that regulations can be a messy business, and complying with some may jeopardize others in unexpected ways. The Office of the National Coordinator for Health Information Technology (ONC), for example, is pushing a nationwide interoperability structure. In an effort to comply with such interoperability requirements, information is frequently exchanged between teams through publicly accessible media, like internet forums. Since the cyber sensitivity of parts of the information is not readily apparent to non-security professionals, it’s often shared without the necessary redaction. This can bear significant and detrimental impact on your security posture, organization-wide. In fact, it was precisely this type of compliance-minded information sharing that led CyberMDX to discover a major medical device vulnerability in August 2018 – potentially compromising HIPAA compliance in the process.
The good news is that following cybersecurity best practices and using devoted tooling where appropriate will prevent common violations and demonstrate compliance with ease – meaning the CISO needs to spell out how their strategic plan addresses the regulations.
The hospital strategic planning process ensures the hospital has well-defined goals and a comprehensive plan for achieving them. The CIO and CISO need to work collaboratively to make sure technology supports those goals, that cyberthreats do not derail them, and that along with patient care, the business side of the organization remains front and center throughout. CISOs have a much better chance of furthering their micro agendas by presenting a macro case rooted in business of cybersecurity investments.
In the high stakes, high pressure, cost-conscious hospital board room, it is not enough to talk about technology that identifies a security problem. You need to be able to solve that problem, from discovery and detection to risk assessment and prevention, while also adding business value to other aspects of the operation. In this regard, strong arguments can be made for cyber fortification by attending to the appreciable benefits delivered by improved inventory management, smarter server provisioning, and easier compliance demonstration.
It should be understood that this is a business imperative as much as a security imperative. With comprehensive network visibility at your disposal, increased efficiencies, and improved outcomes are inevitable. But you certainly won’t be faulted for helping others to see what you already know to be the case.