How can healthcare organizations ensure compliance and security in the face of increasing cybersecurity challenges?
In a recent Tripwire Tuesday event, a Tripwire customer shared some insights about how healthcare organizations can implement basic security hygiene – foundational controls – to mitigate risks and vulnerabilities in their environment.
Influence organizational culture
Healthcare organizations typically lag behind other industries in implementing cyber security controls. However, because healthcare organizations care about patient safety, we can influence the organizational culture by embedding information security into the fabric of patient care. By connecting the dots about how information security affects patient safety, we can extend accountability beyond just the infosec group and leverage the entire organization to act as an information security team. This is more effective than using just a few resources.
Influencing the organizational culture can be accomplished by increasing awareness through education and ingraining this learning through practice. Additionally, collaborate with business units to find out what they care about and communicate how infosec contributes to the goals of the business units.
Deploy foundational controls
Rather than focusing on using the most expensive or complex solution, focus on implementing basic security hygiene – foundational controls. Start by building your framework using security frameworks; take a baseline security framework and adapt it to your organization. Don’t be distracted by the buzzwords but focus on foundational controls. The biggest attacks in 2017 were not due to specialized attacks but due to lapses in basic configuration and basic security hygiene. There is no silver bullet or one vendor that can solve all your problems. It’s about defense-in-depth: multiple solutions working together to improve your security posture.
Focus on reducing risk
Because there is also no such thing as no risk, detect early and isolate the environment where there is malicious activity to prevent the spread to other areas of the organization. Even in fully air-gapped solutions, there is still risks as the maintenance window offers a window of opportunity. However, this can be mitigated by gaining visibility into the type of assets your organization has and focusing on remediating vulnerabilities that are pertinent. Leverage global knowledge and industry knowledge to get a better understanding of the threats and vulnerabilities in your organization.
For example, leverage the CIS controls and take an inventory of authorized and unauthorized hardware and software to understand your footprint and the associated risks. Learn how Tripwire provides coverage for 14 of the top 20 CIS Critical Security Controls.
Tripwire Enterprise can also be used for compliance with various standards and to provide baseline security hardening to standards like HIPAA and PCI. Use these standards as a starting point, but for best practice, customize this standards to your environment, and you can use Tripwire Enterprise to create custom baselines that you can scan against.
Target long-term impact
Don’t just buy a solution to fix a face value problem or to satisfy a short-term need. Use it to address the root cause. To drive long-term impact, assess how Tripwire’s suite of vulnerability management, file integrity monitoring, system hardening, and asset discovery solutions can fit into your process, provide value for other business units, and help you achieve your long-term infose goals. For example, Tripwire Enterprise can be used for active directory monitoring to know when changes are made and integrates with ITSM tools to provide traceability and history.
Expand and use the capabilities of file integrity monitoring for other business users such as executives and administrators to give them a sense of security that their files are protected from unauthorized changes. For example, Finance might have a file to which it wants to prevent unauthorized access and changes. You could use Tripwire’s FIM capabilities to target that file and ensure that no unauthorized changes are made. This is an example of how you can extend the value of infosec tools to other business units.