It starts with one exception. Maybe the head of cardiology doesn’t want to do an update for fear the system will go down. Then comes another and another until the line between exception and rule starts to blur – or in some cases, disappears completely.
It may sound alarmist, but for healthcare information and security leaders, it’s a harsh reality that must be faced. “We have a system of exceptions,” said Intraprise Health CEO George Pappas, one in which the CISO “has accountability without full authority.”
And as third-party vendors and remote solutions continue to populate the environment, it’s getting more difficult for leaders to protect data, and more importantly, patients. During a recent Keynote, Pappas and his colleague, Scott Mattila (COO, Intraprise) spoke with Miroslav Belote (CISO, Valley Health System) about how organizations can approach risk management in a more effective manner.
When Belote arrived at Valley Health System in March 2019, risk assessments were already part of the strategy. The problem was that the questionnaires being used focused heavily on vendors’ assessments of their technology architecture, connectivity, and related security controls. “As our program matured, we found gaps,” he said, “not so much from the product or connectivity perspective,” but in terms of vendors’ security posture and policies.
Another gap was in cybersecurity scoring, which his team found to be subjective. “There were very often vague answers to questions – we couldn’t dig in,” he noted, and instead had to exchange documents back and forth, which proved to be resource-intensive and time-consuming.
The remedy to that, according to Mattila, is developing an integrated risk management system that “brings all of the components together,” he said. “I’ve got third party risk, I’ve got my assessments that I am doing, and I’ve got vulnerabilities – how am I going to manage and control that?”
Through its BluePrint Protect platform, Intraprise aims to improve overall security by providing a single view of risks and automating manual processes to scale management.
It offers a way, according to Mattila, to “correlate that information and say, ‘this is how I need to best present this to my leadership team. These are what I need to triage.’ And being able to identify that even down to a systematic level,” he said. “That’s the genesis of integrated risk management. Taking in those components and being able to visualize it is really what enables CISOs and their security teams to do that.”
Another key piece of Protect is helping organizations align their cybersecurity posture with frameworks like HITRUST and NIST and certifications like SOC-2. Those frameworks, however, are not a panacea, noted Mattila, as most tend to provide a snapshot in time, rather than an updated view, and tend to rely on standard questionnaires.
Intraprise, on the other hand, leverages targeted assessments to determine the key areas of need and devise a plan going forward, he said. “We have different controls in place. You have to take a lot of those factors into account and say, ‘here’s a baseline of things we need to know before we bring you in.”
As part of Intraprise’s process, customers like Valley receive a customized, pared-down preassessment questionnaire that is incorporated into the automated platform early in the buying process, providing them with leverage when signing a contract. Those questions, according to Belote, can signal whether a more in-depth assessment is needed, while also determining the risk level. “It can tell us if the risk is small, or if it’s so high that we can’t move forward.”
And while HITRUST may have some limitations, it is still beneficial as a measuring stick, according to Pappas. “It’s important to note, however, that the certification applies to a system, rather than a company. “That’s where having mapping inside the product is important,” he said. “You want to be able to reuse that information where possible, and understand the provenance of the third party vendor, because that's going to have some impact on their overall security posture.”
For example, if a report finds that IV pumps provided by a third party are connected as IoT across the network, security teams need to be equipped to flag it and ensure the proper controls are in place.
All of this, of course, requires a level of trust in cybersecurity teams and the efforts they’re leading. “It’s all about protecting data,” said Mattila. “That’s what we’re all here to do. It’s a shared vision – it’s not just security and IT.”
It starts with changing the perception that many operational users have of security, according to Belote. “Typically, operational users view security as a roadblock; that’s not our intent. We want to protect the organization,” he noted. “That level of education and that message needs to come from senior leadership.”
When operational decision makers are forced to understand and accept the risks associated with exceptions, they’re more likely to “slow down and rethink it,” he said. And if a physician or department head still wants to go ahead with a product, it needs to be presented to the COO, CIO, legal, and other stakeholders. “We want to do business the right way. We want to care for patients in the right manner. You need to take that risk and explain it to us and own it.”
Without that sign off, no purchasing orders should make it through, Belote stated. And although doing so involves a great deal of rigor, it has become critical in risk management. “We have to educate our operational staff to follow the process, which isn’t easy,” he added. “Everybody has their toys and their wish lists, and they’ll say, ‘this is the best thing since sliced bread.’ We have to monitor it, no matter what. We need to put some reins around that and some guardrails.”
Because the risks, Pappas noted, will always be there. “We talk about it being third-party risk management, but a lot of it is just risk. There’s risk with new buildings or new software vendors. There’s risk with everything.”