How to Be Proactive About Operational Resilience and Incident Response

At the recent 2024 HIMSS Global Health Conference & Exhibition, held in mid-March, Access Point Consulting CEO Geoff Hancock moderated a panel titled, "How to Be Proactive About Operational Resilience and Incident Response." Joined on the panel by Jeff Ulanet, CFO and CTO of Atlas Health; and Rick Leib, CISO, Client Services of Access Point Consulting, Hancock led a discussion that centered on why resilience is such a critical quality in the cybersecurity and business continuity practices of a healthcare organization, and how practitioners can design programs and work with executive management to achieve the necessary resilience.

Hancock began the discussion by setting the stage -- cyber attacks and intrusions are on a growth trajectory, becoming more numerous and more severe. For healthcare organizations the grim reality is that an intruder will, at some point, be successful penetrating the perimeter. At that point, the emphasis shifts to surviving, minimizing the damage of, and responding to that attack -- to being a resilient organization.

The Look of Resilience

Leib began talking about what a resilient organization does -- quickly recognizing that an intrusion has occurred and responding to the incident with actions that are carefully developed and rigorously rehearsed. To be effective, he said, requires thinking beyond normal cybersecurity limits. "It goes beyond cyber simple cyber security measures -- goes beyond firewalls, goes beyond access controls. It goes much deeper into actually understanding your assets and your business impact analyses," he explained.

Given that definition, Hancock asked, how should companies go about making themselves resilient? Leib began by talking about performing gap analysis: Looking at the difference between the actions, procedures, and technologies that regulations require and those that the organization has deployed. It is, Leib said, critical for companies to be in regulatory compliance. Getting into compliance, he noted, can help an organization understand the assets (both infrastructure and data) that they have in place, and which assets require protection.

Coming into compliance, Leib explained, involves having a plan to respond to attacks on critical and important assets, and that plan will require the approval and involvement of the C-suite. Executive approval is required because of the investment in time and money required to put the plan into action. And executive involvement is required because the response will necessarily go beyond the organizational limits of any single department or workgroup -- it will require a culture of resilience that spreads across the entire organization.

Ulanet added that, in healthcare, many questions about data security and resilience are coming from their customers who want to know that their very sensitive data has been protected from loss and that the healthcare has protected itself from interruptions to clinical care. And these customers don’t simply want reassuring words -- they want evidence that the organization has demonstrated its programs for resilience.

Protecting Intelligence

One of the new areas of concern is with the security and reliability of data used to train AI models. Ulanet explained the nature, and scale, of the issue. "We've seen examples of ML and AI that's been manipulated to produce a false outcome," he said. "Imaging is an example of things that never took place in the real world but took place inside a machine. Just extrapolate that to a clinical outcome and you can see the danger that's apparent." Complicating the issue is that, "…the danger could be from within, cultural bias or some other form of bias, or it could come from the outside ,the data source itself, or the way the ingestion point of that data works. It's a much more complex vector than I think we've ever faced."

Hancock pointed out that a framework for ensuring data integrity has existed for years, developed by NIST at the behest of a national cybersecurity directive. There has been, however, a huge gulf between having a framework available for use and having a framework that is actually put to use by healthcare organizations. These companies must, he explained, treat their data and their incident response plans and procedures the way that resilience plans for national critical infrastructure should be treated.

Among the important components of those plans, Leib said, are the anomaly detection products and processes that now must extend beyond the traditional network scope to include cloud applications and infrastructure. Both the scope of the problem and its importance have increased as organizations depend on the cloud for more and more tasks.

Experience Matters

The discussion ultimately found its way to the need for experienced managers to guide the development of resilience plans. These experienced CISOs can be difficult to find and afford, especially for smaller or younger organizations. The three participants agreed that the "V-CISO", or virtual CISO engaged from a consulting firm, can be a very good solution for these smaller organizations that can't afford a full-time, permanent CISO. Even with someone in the CISO role, they noted, the V-CISO can help coach and mentor the organization's CISO while they grow in the role.

There is no question, though, that an effective resilience plan is an expense for the organization, sometimes a substantial expense. The question is not to weigh the cost of the program against not investing, it is to weigh the cost of the resilience program against the cost to the organization of a cybersecurity (or data integrity) incident with no resilience program in place. In that light, resilience is considerably less costly.

Resources

Trending Articles & Security Reports