One of the worst things that can happen, according to Matt Christensen, is for a firehouse to burn down. And yet, that very scenario can unfold if the right steps aren’t taken, he said. During a conversation with Drex DeFord, he cited a structure fire that resulted in millions of dollars’ worth of damage because there wasn’t an effective alarm system in place.
It’s the same behavior that can put health systems in danger when it comes in investing in cybersecurity measures, noted Christensen, who serves as Senior Director of Cybersecurity at Intermountain Health.
Matt Christensen
“In cybersecurity, we can’t let the firehouse burn down. It has to be programmatically sound,” he said. “There are non-negotiables that you have to build into a program. Otherwise, you’re going to have incidents.”
That “sound” strategy requires several elements; and while data protection tools are critical, they’re just part of the picture, said Christensen. In an Unhack the Podcast interview, he broke down the most important components of a successful cybersecurity strategy.
Systemic risk
First and foremost, the focus needs to be on systemic risk, rather than individual vulnerabilities or vendors, particularly given the increasing reliance on third parties – and the dangers that poses to data security.
“Our world was broken open last February,” he said of the Change Healthcare breach that rocked the industry. “We all saw the downstream effect.”
It’s precisely why organizations like the HSCC Cybersecurity Working Group (in which he participates, along with Intermountain CISO Erik Decker) are “honing in on the ecosystem” of care delivery, rather than trying to protect one vendor.
It represents a major shift in thinking, Christensen said. “It’s going to upend the way organizations, specifically in healthcare, approach risk management.”
Revamped training
Another change that’s needed? More emphasis on the human element of cybersecurity, which he believes is often overlooked. “It blows my mind that asset number one – which is you and me – doesn’t get the level of attention commensurate with the risk.”
Despite the fact that 90 percent of breaches “start with breaking a human,” most frameworks prioritize inventories of systems and applications, he said. “The bad guys know this – that’s why they’re successful.”
Cybersecurity leaders, however, have an opportunity to gain some ground in the battle by improving their training tactics, said Christensen. One way is by eliminating repetitive content – which may prompt users to gloss over crucial information. “We’ve seen it so many times,” he said, particularly those required to do quarterly training. “It becomes, ‘how quickly can I click through this without getting in trouble?’”
Behavior over metrics
Another way is to simplify the content. For example, “the average employee probably doesn’t even understand the term ‘social engineering.’ And so, if you blast your content filled with these technical terms, it’s going to go right over them,” he said. On the other hand, “if you can break it down into, ‘this is how a helpdesk call can go wrong and how it can impact the service that you provide,’ then you’ve got their attention.”
It’s also important to ensure training is having the desired effect. Doing so, however, doesn’t have to involve metrics, according to Christensen, who prefers to measure changes in behavior. “I want to see what good behaviors people are doing more – or should be doing more, and what bad behaviors they’re doing less. That, to me, is a far more effective way of actually measuring progress.”
Speak the language
Of course, all of this requires an investment, which means cybersecurity leaders need to feel comfortable communicating with senior executives – something that may not come naturally to everyone. Christensen’s advice? Don’t rely on data; make it relevant and relatable.
“The easiest way to garner the support from a board member is to speak their language,” he said, encouraging leaders to start by identifying a system that’s core to the business, then running through scenarios if it were to go down for a prolonged period of time. “How are you going to run the business? What does it mean if we have to completely rebuild? How do you continue to deliver care, versus having to divert?”
The ability to speak at that level – not just theoretically, but about how to execute plans in a way that doesn’t impact patient care – has become a critical piece in keeping data safe.
And keeping the firehouse from burning down.
© Copyright 2024 Health Lyrics All rights reserved
