Digital transformations require strategies for unique cyber vulnerabilities
Visiting Nurse Services of New York has been pursuing a technology overhaul as it migrates to the cloud to support an expanding array of care delivery services.
As it modernizes its IT infrastructure to enable a shift from traditional home healthcare to a data-driven future state, it has also reimagined how it can better serve healthcare providers and patients with new managed service offerings.
But with that fundamental digital transformation come challenges, not least the need to manage risk – cybersecurity risks, in particular – throughout the change process.
"It's important that your security team be involved as soon as the first draft of the design of the new system or solution is created," explained Justin Bain, IT and cybersecurity officer at VNSNY, who will explain more this month in a session at HIMSS22.
"Security architects can bring standard frameworks and best practices and overlay them to the design," he said.
Bain noted that another security professional will need to perform the risk assessment while the solution is being built, resulting in a plan of action and milestones.
"Lastly, after the solution is implemented a post-implementation review or audit should be performed, to ensure the controls are working as expected," he said.
Bain pointed out trying to assess risk during a change that's already in motion is very difficult, meaning it's best to get in at the start, understand the risks, and explain them to stakeholders.
"That way, when the time comes to inject a control, it won't be their first time hearing it, and they'll be more susceptible to getting it right the first time around," he noted. "That said, it is not always possible to get in front of the business change; as sometimes security isn't informed until it's already in motion."
He explained a good security professional has to exercise what he believes is their most important skill: "Learn Quickly."
This means putting a focus on the biggest threats and pushing for controls to fight them.
"For example, ransomware is the biggest threat to cybersecurity in healthcare, and phishing is the most common attack vector," he said. "If you can tie your recommended risk responses to those threats, you'll likely see the business adopt your controls."
He added you don't always have to hire more people to do more, and if you're already outsourcing a function of IT, ask them if they have security add-on.
"If possible, fully assess their security before contracting with a vendor. Then write the remediation plans into the contract – with deadlines – so they are bound to them," said Bain.
"In the cloud, identity is everything, so make sure your controls around identity authentication are strong, but easy for people to use."
Your Comment :