As more and more companies, families, and devices become connected to the internet, cybercrime has become an increasingly pervasive threat. Based on a 2017 KPMG survey, as many as 47% of healthcare providers have reported a HIPAA related breach, with third-party data sharing being noted as the primary vulnerability in networks, followed closely by devices not controlled by IT. As a result, leadership of many organizations are rushing to find an answer; and for good reason:
- During 2017, over 1,500 breaches were recorded in the United States alone, a 44.7% increase from 2016. As of June 12, 2018, 9,084 breaches have been identified.
- Costs relating to cybercrime for the global community as a whole were $600 billion in 2017, with cybercrime costs in the U.S. were as much as $109 billion.
- Resulting costs to individual U.S. businesses compromised by an attack averaged more than $1.3 million each.
With the growing reliance on internet-based solutions to track and store patient data, more medical devices coming online to the Internet of Medical Things and interfacing with hospital networks, and intellectual property requiring increased security, it’s no surprise organizations are looking at their cybersecurity controls to ensure their assets are secure.
Developing a risk-based mindset
This increase in cybercrime and related costs leaves organizations wondering where to begin the process of protecting themselves, often with limited budgets and constrained resources. Some organizations take a shotgun approach, trying to secure all assets, while others believe they are too small to be affected. Both approaches can be costly and leave the enterprise open to significant risks. For some of the “shotgun” organizations, budgets are exceeded, resources are stretched, and many assets are still left vulnerable. The organizations that imagine they are too small to be targeted leave key data assets unprotected, creating a ripe target for would-be hackers and data thieves.
The third approach is where prudent organizations build their cyber policy from a risk-based standpoint, identifying key assets to protect and focusing on these rather than attempting to protect all data held by the organization.
How to identify your key assets
Because of the risks unique to the industry, it’s important for organizations in the Biotech and Life Sciences fields especially to realize there are key systems, applications – and, specifically, key data assets – that call for a greater investment in protection than do other assets (this will vary by sector and organization). What assets does your organization possess that need protecting?
- Do you have any sensitive IP needing protection? Unauthorized access could allow foreign or domestic competitors to see vital plans and documentation, potentially preventing critical first-to-market advantages. It could mean other financial losses, too, if some of your funding comes from grants.
- Do you track and store patient or subject data, or transmit patient data to a third party? HIPAA compliance is vital, and any breaches could be costly in terms of legal expenses and lost customers.
- Do you manufacture a device connecting to a medical provider network? The FDA is exploring the requirement to ensure firms to ensure proper patching capabilities, and develop a “Software Bill of Materials” to be provided to the FDA as part of any premarket submissions. Additionally, the FDA is planning to update premarket guidance on medical device cybersecurity to better protect against cyber-risks including ransomware gaining access to critical networks through unpatched devices.
- Do you store drug or device pricing and promotion materials on your network? This has been a hot topic for many companies due to substantial pressures on healthcare budgets around the world.
Any of the above could cost your organization a substantial amount of money if the assets were to be compromised or HIPAA compliance was not maintained. Once critical data assets have been identified, a complete risk assessment is required to properly assess how to protect the assets.
Assess your risk
This risk assessment is composed of several phases.
- Enterprise-wide: The evaluation begins with evaluating the enterprise as a whole, taking into consideration the sector and any related challenges unique to your organization.
- Prioritize your risks: The next step is to prioritize your critical risks based on the evaluation and examine how the highest-risk assets could become compromised. Remember that not all assets need to be examined with the same lens: some are less critical to the functioning of the organization and stakeholders than others.
- Control gaps: Once risks have been identified and ranked, the next step is to examine the existing control structure, shoring gaps that may leave your assets open to attack.
This may seem like a daunting process, so the IT Risk team at Peterson Sullivan is available to help. We take a holistic, top-down, risk-based approach to cybersecurity, scalable for your company and its needs, since we know no two organizations are the same. Peterson Sullivan’s independent assessments give you confidence your controls are working. Contact IT Risk Leader Nick Norton today to see which of our services best fit your organization’s needs.