by Colin Konschak
If you’ve been following the past four blogs on the Hacking Healthcare 2015 conference, then you’re probably feeling completely overwhelmed (not to mention not sleeping). Where do you start? How can you possibly address the plethora of threats that cybersecurity guru John Gomez, president of the cyber-security consulting firm Sensato, outlined?
Take a breath. You need to develop a risk management strategy. This means focusing your greatest efforts on high-value targets. You still, however, need to make sure you’ve done the basics, locking the front door with a strong firewall, monitoring, and password protections.
At the heart of risk management is creating the final “stand down” mentality. Look for the critical data that, if breached, could kill your company. This might be patient records (at a cost $192 per patient record, a breach of 80 million records like Anthem experienced would destroy a smaller company); access to devices throughout your hospital; or the ability to shut down the entire system through a cyber-attack.
Doing this requires taking an outside-in approach, says Gomez. That means thinking like an attacker. Focus on the three types of attackers described earlier: cyber-terrorists, cyber-criminals, and cyber-spies. And don’t forget your own employees!
Figure out what high-value targets each of these attackers would be interested in, then rank the threats by seriousness: I, II, and III (the most serious). Next, create a Highest Value Target matrix, like the one shown below. You might find that what you thought was a Level I is actually a Level II or III.
HVT Matrix
Now focus on hardening security around your Level III targets.
This takes money and time. That means convincing the C-suite and board that it’s worth it. To do that, says Gomez, couch the threat in terms of the monetary impact, as well as the impact on the company’s reputation. “Then management has nowhere to hide because you’ve told them what will happen and what it will cost if they don’t fund you,” he said.
