Rigor and Realism in Cybersecurity Strategy

By Angela Fitzpatrick, Vice President of IT Risk Management, Meditology
LinkedIn: Angela Fitzpatrick, CISSP, CCSFP, CHQP
X: @Meditology

Cyberattacks on healthcare organizations and their business associates continue to increase at an alarming rate, with nearly 500 breaches affecting 500 or more individuals each reported to the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) between January and November 2023. That compares to just 278 reported breaches for the same timeframe in 2022.

Cyberattacks come in all shapes and sizes. Attacks reported to the OCR in 2023 involved anywhere from 500 to more than 11 million individuals. In all, more than 90 million individuals were impacted by breaches, which took place at 300 provider organizations, 120 business associates, and 73 health plans. The vast majority were hacking incidents (407), followed by unauthorized access or disclosure (80), and theft (7).

The increase in attacks demonstrates how vital it is for healthcare organizations of all kinds to have a strong and reliable cybersecurity strategy based on rigor and realism.

The Role of Rigor and Realism in Cybersecurity Strategy

Rigor and realism ensure that a cybersecurity strategy is based on careful analysis and practical goals and can effectively address the current and future threats and challenges in the cyber domain.

Some aspects of rigor and realism in a cybersecurity strategy include:

  • Placing people and realism at the center of the cyber strategy, by understanding human nature, biases, and behaviors and how they can be exploited or leveraged by attackers or defenders.
  • Unifying technical, business, and risk-oriented frameworks, by integrating different perspectives and stakeholders in the cyberattack response and by creating a seamless detection and remediation strategy.
  • Leveraging communication and teamwork by involving every department within the organization in ensuring infrastructure security and fostering a culture of collaboration and awareness.

These are some of the ways that rigor and realism can help build an effective cybersecurity strategy that can protect the organization and its assets from cyber threats.

Establishing both rigor and realism starts by establishing a clear understanding of the cyber-assets in need of protection. For healthcare organizations, the most valuable digital asset is patient data, which carries a black-market value that is 10 to 40 times higher than the value of credit card numbers.

A realistic cybersecurity strategy is based on a threat profile that identifies the potential threats that an organization or a system may face. A threat profile can help to prioritize the security measures and countermeasures that are needed to protect against cyberattacks.

A threat profile can include information such as:

  • The assets that are at risk, such as data, systems, infrastructure, reputation, etc.
  • The attackers that may target the organization or the system, such as hackers, criminals, competitors, insiders, nation-states, etc.
  • The attack vectors that may be used, such as phishing, malware, denial-of-service, ransomware, etc.
  • The impact and likelihood of each threat, such as economic loss, operational disruption, data breach, etc.

A threat profile can help to create a realistic and effective cybersecurity strategy that addresses specific risks and challenges. Some sources that can help to create a threat profile include:

  • Threat intelligence, which is a data set about attempted or successful intrusions, usually collected and analyzed by automated security systems with machine learning and artificial intelligence (AI).
  • Threat modeling, which is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized.
  • Security profiles, which are sets of rules that define how to scan and block traffic based on the applications, users, content, and threats.
  • Security audits, which are assessments of the current security posture and compliance of the organization or the system.

Threat modeling allows organizations to make cost-effective decisions about the security solutions that can best-protect an organization’s assets.

This is where rigor enters the picture. Operational rigor ensures that an organization has the processes, discipline, and commitment to design, execute, and sustain realistic security levels.

Avoiding Common Cybersecurity Strategy Errors

Rigor and realism can also play a significant role in avoiding several of the most common errors healthcare organizations make when it comes to protecting their digital assets.

While regulatory compliance is important, it should not be the sole focus of an effective cybersecurity strategy. Doing so will result in a strategy that is neither comprehensive nor sufficiently prescriptive, in part because regulations are typically not updated often enough to properly account for the changing threat landscape.

Another common strategy error is making cybersecurity decisions in a vacuum. Consulting with multiple departments as well as internal and external experts is critical to ensuring a comprehensive cybersecurity strategy. Decisions should be made with the benefit of insights from individuals with the expertise to understand long-term consequences and who will be directly impacted by solutions and policies.

Another common strategy error is not establishing and monitoring risk indicators and other metrics to determine if the cybersecurity strategy is effectively reducing risk. Without metrics, it is difficult to ensure the desired outcome is achieved.

An important benefit of a cybersecurity strategy grounded in realism and rigor is knowing when to ask for help. Most organizations do not have internal experts to cover all bases. There are also elements of cybersecurity that are better handled by a third party, such as assessments, audits, and program reviews to remove internal bias.

Realism allows for a fair evaluation of existing resources to identify critical gaps that should be filled by an outside vendor or consultant. Rigor ensures the governance and resources are in place to allow those outside experts to be brought in to maintain performance and adjust the approach when appropriate.

Conclusion

Cybersecurity should evolve and mature along with an organization’s threat level, expertise, and resources. Building rigor into the foundation ensures the long-term commitment required to maintain and evolve cybersecurity in tandem with the threat landscape.

Realism establishes the baselines against which to measure success, while rigor ensures the governance is in place to continuously track, measure and act when performance dips below acceptable levels.