1. The ‘Gig Economy’Organisations want to try new things and do not want to be bogged down with procedures and policy. However, we must be mindful of integration and support. Get the right contracts in place; secure robust support agreements and software assurance. Do not become dependent on a third-party application. We all know solutions with security flaws with vendors having no appetite to fix them. Finally, be prepared to forgo the usual third-party assessments for these smaller firms. Streamline it, and document exceptions!
2. Digital TransformationThe right digital plan must be established. It must be designed with a care plan/business strategy at its heart and underpinned by robust architectural designs and operational basics. Base your security strategy around this, and you will not go far wrong. (It also makes asking for investment far easier!)
3. Data, Data, DataIf you cannot extract data from a solution to demonstrate value and outcomes, why bother with it? And critically, look for a common integration and data extraction tool rather than a swathe of bespoke interfaces known only to the developer who left the organisation two years ago.
4. A Retirement PlanSupport functions cannot be expected to support operating systems that are no longer supported by the vendor. Like the financial sector, it will only be a matter of time that the healthcare sector will be required to provide decommissioning plans and timelines. Be proactive with your hardware; refresh and ensure your third-party vendors are contracted to ensure their applications are supported by the latest technology and operating systems.
5. CourageFinally, we must have the courage to stand up for what we know is the right thing to do: do not be swayed by pressure to adopt bad practice or technology. Whilst saying “No” is never really an option, the transferral of risk certainly is.
How Tripwire Can HelpAll healthcare organizations need to take steps to strengthen the security of their systems so that they can ensure the availability of critical medical services and protect their patients’ data. Such measures are especially important in the case of defending against vulnerabilities like EternalBlue, the Microsoft SMB flaw which WannaCry exploited in 2017. CVSS risk scoring is a good start. But in these types of instances, such low-medium-high scoring is not of any use because the vulnerability will show up as “high” in every part of the business where critical systems/assets that provide the “business as usual” state are in the same category as non-critical systems. This is where Tripwire IP360 can assist. Tripwire not only provides the CVSS risk scoring but also adds a unique way the assets are weighted depending on criticality to the business, amongst other criteria. This creates a way for limited resources to apply patches quickly to the critical systems, thereby providing the secure “business as usual” state for the business. In the meantime, Tripwire Enterprise can be utilised to monitor the network for any changes or drifts of compliance and policies, providing real-time notification to the resources on anything that is detrimental to the estate so they can address them immediately.