Making Cybersecurity Less Spooky With the “Medicines” of Risk Treatment & Peer Review
By Sherri Douville, CEO at Medigram & Eric Svetcov, CTO/CSO at Medigram; cybersecurity advisors and instructors for the Santa Clara University Women’s and Black Corporate Board Readiness Programs
We asked in our poll on Linked and pictured below, who’s responsible if a clinician clicks on ransomware? Eric wisely corrected us that the apt word in a cybersecurity context is “accountable”; counterintuitive terminology for medical stakeholders who tend to lean on the term “responsible party.” Obviously, the clinician if they clicked on the ransomware — is clearly responsible for having clicked. The question here is more about who is accountable for the risk, who is the risk owner and we address that in this post.
The Medicine of Cybersecurity
Think of risk like a chronic disease and now you’re a care team tasked with treating and managing that risk. What’s the treatment goal? Like all chronic diseases, there can be acute flare ups and that’s exactly how you should think of cybersecurity incidents. Therefore your treatment goal is to establish a mutual care plan that mitigates the acute flare up of the disease of risk to a mutually acceptable level while also managing the chronic disease.
The Peer Review Parallel in Cybersecurity
Everyone who works closely with physician executives knows that peer review is king. It separates truth from opinion. Risk treatment is applied through the use of controls by the frameworks we outline in chapter 10 of Advanced Health Technology. As a former auditor, Eric champions effective auditing as a critical step to a valid program. At the same time, the onus is on the CISO to validate the auditor’s reputation for the specific audits in question, for your company as well as the 3rd parties that you’re working on to validate that they’re doing the right thing.
Eric’s real answer to the malware poll is that
“The organization’s leadership is accountable for the effectiveness of the anti malware program including training, user awareness program, technical solution, configuration, and incident response. The CISO is responsible for carrying out the program that leadership is accountable for. The end users are responsible for taking the risk (the disease) seriously, learning what they need to learn based on training provided by the CISO’s organization and take responsibility for not circumventing controls that have been prescribed to treat the risk.”
We had some brilliant reader tips from responses to the poll:
“The key word being catastrophic. As CIOs we architect for human failure. We expect human failure. So we expect a certain percentage of the nurses to click on the bad link. We aim to reduce that every year through education and prevention, but we expect there to be incidents throughout the year. With this as the foundation, my job is to minimize the blast radius of such an event. The rest of my response would be a bunch of NIST recommendations, leveraged as the framework to build out a security foundation. So if the event is catastrophic, the fault lies in IT and Security. If the group is severely underfunded then we can look at CEO, Exec Team and even board.”
— Bill Russell, Former CIO, Managing Editor and Host Bill Russell, This Week Health
“In addition to “bad security” (or lack of), which the CISO, CIO share in, security is a strategic function of any business that connects to, well, anything else and that strategic function makes it, ultimately, the CEOs and BoDs issue. After the general lack of security comes the fraud, deception and lying — — that clearly belongs to the one doing it.”
— David Finn, Vice President, Education at AEHIS, AEHIT, AEHIA (Affiliated Professional Groups) of CHIME.
“It’s imperative that the CIO, in partnership with the CISO, create a security environment that limits the possibility of ‘catastrophic consequences’ from clicking a phishing link ZeroTrust , effective MFA , solid encryption , thoughtfully-configured SIEM all reduce risk.
Just as hospital infection control protocols are designed to reduce widespread (‘catastrophic’) outbreaks, so should cybersecurity controls mitigate spread & limit damage of technological ‘infections.’”
— Wayne Sadin, Executive Founding Member, Digital Directors’s Network, BoD/C-Suite IT Advisor, Acceleration Economy
Cybersecurity in medicine doesn’t have to be spooky. You just need to accept that you’re dealing with a chronic disease called risk that is subject to acute flare ups. Your job is to build and maintain a treatment plan for that chronic disease and to mitigate the effects of those inevitable flare ups. Our best selling books on Amazon can help you to develop and execute your treatment plan.
Mobile Medicine: Overcoming People, Culture, and Governance (1st ed.). Productivity Press. https://www.amazon.com/Mobile-Medicine-Overcoming-Culture-Governance/dp/0367651505/
Advanced Health Technology: Managing Risk While Tackling Barriers to Rapid Acceleration (1st ed.). Productivity Press. https://www.amazon.com/gp/product/1032391480/ref=dbs_a_def_rwt_bibl_vppi_i1
