Logicalis recently sent out 10 Security Questions Every CIO Must Be Able to Answer. Here’s their list:
- If you knew that your company was going to be breached tomorrow, what would you do differently today?
- Has your company ever been breached? How do you know?
- What assets am I protecting, what am I protecting them from (i.e., theft, destruction, compromise), and who am I protecting them from (i.e. cybercriminals or even insiders)?
- What damage will we sustain if we are breached (i.e., financial loss, reputation, regulatory fines, loss of competitive advantage)?
- Have you moved beyond an “inside vs. outside” perimeter-based approach to information security?
- Does your IT security implementation match your business-centric security policies? Does it rely on written policies, technical controls or both?
- What is your security strategy for IoT (also known as “the Internet of threat”)?
- What is your security strategy for “anywhere, anytime, any device” mobility?
- Do you have an incident response plan in place?
- What is your remediation process? Can you recover lost data and prevent a similar attack from happening again?
Given the incredible rise in hospitals being breached or held ransom, it’s no surprise that this is one of the hottest topics in healthcare. No doubt many a hospital CIO has had sleepless nights thanks to these challenges. If you’re a CIO that has been sleeping well at night, I’m afraid for your organization.
The good news is that I think most healthcare organizations are taking these threats seriously. Many would now be able to answer the questions listed above. Although, I imagine some of them need some work. Maybe that’s the key lesson to all of this. There’s no silver bullet solution. Security is an ongoing process and has to be built into the culture of an organization. There’s always new threats and new software being implemented that needs to be protected.
With that said, health IT leaders need to sometimes shake things up in their organization too. A culture of security is an incredible starting point. However, there’s nothing that focuses an organization more than for a breach to occur. The hyper focus that occurs is incredible to watch. If I was a health IT leader, I’d consider staging a mock breach and see what happens. It will likely open your eyes to some poor processes and some vulnerabilities you’d missed.