The Health Information Trust Alliance (HITRUST) has completed a three-month review of its approach to cyber risk management for the healthcare industry. The effort was focused on understanding the challenges of healthcare organizations across varying levels of information protection maturity.
The review also focused on identifying approaches and solutions to effectively and practically mitigate and defend against cyber threats and risks. The analysis uncovered a constant theme: that today’s approach to cybersecurity is predominantly reactive and, for the vast majority of organizations, inefficient and labor-intensive.
The analysis also illuminated the fact that, although organizations are increasingly utilizing threat indicators and other threat intelligence, they are doing so without understanding the relevance to their organization. In addition, most organizations are still unable to understand the effectiveness of deployed information security products, especially in relation to emerging cyber threats.
Specific findings from the review include:
- Organizations consistently identified a lack of awareness of emerging cyber threats, especially previously unseen attacks, as a key concern. Organizations almost universally acknowledged they had minimal understanding as to the impact of cyber threats on their current cyber security products and the unique applications, systems and devices they protect. This lack of awareness leads many organizations to expend resources and rely heavily on indicators of compromise (IOCs) to determine if a breach or other suspicious cyber activity has already occurred while simultaneously updating rules and policies to block the IOCs. Although valuable, this approach is retrospective in nature and introduces inefficiencies.
- Organizations lack understanding as to the effectiveness of the multitude of products deployed in their environments and lack the ability to communicate, especially to senior management, the effectiveness of their security measures against the probable cyber threat landscape.
The review concluded that, to enable a better understanding of the emerging threat landscape and the impact on organizational-specific cyber security defenses, a new approach needs to be deployed and new tools developed. This fundamental shift requires a more proactive model where organizations have real-time situational awareness or insights into emerging cyber threats.
The shift also requires the ability to understand the impact of emerging threats on an organization’s specific environment, including layered information security products deployed with custom configurations, as well as industry-specific applications, such as electronic health records (EHRs).
This new approach allows organizations to assess the cyber threats relevant to their unique environment down to the applications and system level, so they can use their resources to mitigate the one-to-two percent of the cyber threats that are relevant rather than chasing the 98 percent that aren’t.
“Although we have made good progress in maturing our cyber risk management approach for industry, with significant improvements in information sharing, the real opportunity is to understand the emerging threats and model them against organization-specific defenses, configurations and applications,” said Daniel Nutkis, CEO at HITRUST.