Jun 27 2018

How LTPAC CIOs Manage Risk in a Shifting Privacy and Security Landscape

Risk assessments, flexible budgets and a good dose of reality can help keep board members and networks happy.

When it comes to cybersecurity, CIOs for senior living communities have a long road ahead of them. As residents introduce new devices to networks, services such as email are outsourced to the cloud, and old-school security threats, such as phishing attacks, become more sophisticated, the CIO’s role in directing a constantly evolving cyberstrategy is becoming ever-more crucial to keeping systems and health data safe.

Moreover, CIOs are rarely left to their own devices and must work together with the board of a retirement community or senior living organization to build a comprehensive cybersecurity strategy and show constant progress. While the specific challenges may have changed, however, the underlying need has remained the same, which is to keep the organization as safe and compliant as possible.

“Think about what a board member faces. They have responsibilities to their constituents [and to government organizations], so what they must do is risk management; it’s no different than it was 20 years ago,” said Rusty Yeager, senior vice president and CIO of post-acute healthcare provider Encompass Health, speaking June 26, on a cybersecurity panel at the Long Term & Post Acute Care Health IT Summit in Washington, D.C. “The challenge for a board member is that it’s risk management about something and they have no idea what it is. They don’t want to have an idea what it is, but the outcomes, if they potentially don’t pay attention to it, are really dramatic.”

So, with new technologies and threats always on the horizon, how can LTPAC CIOs go about reassuring board members, introducing comprehensive risk management and securing their environment without breaking the bank? According to experts who spoke on Tuesday’s panel, “Cybersecurity in Practice: CIO Perspectives on The Changing Security & Privacy Landscape,” there are several steps that CIOs can take to stay on top of the ball and keep board members happy and informed.

SIGN UP: Get more news from the HealthTech newsletter in your inbox every two weeks

Conduct Risk Assessments Early and Often

The first step is to take a long hard look at where your vulnerabilities might lie with a comprehensive risk assessment.

“How can you manage risk if you don’t know what it is?” asks Yeager. “Do a risk assessment that is across the board … and then build your execution plan based on this risk assessment.”

This allows CIOs to not only get ahead of threats, but to also get ahead of the cybersecurity and budgetary conversations they’ll need to have with their boards. Moreover, CIOs can constantly update board members on progress of the cybersecurity plan in order to show that the necessary steps are being taken to protect the organization. Finally, risk assessments can help to justify the cybersecurity budget and help to keep spending flexible if necessary.

But CIOs should be aware that the need for risk assessments is ongoing.

“The rule is, if you change the environment, you have to do another” risk assessment, said Joyce Miller, CIO of the retirement community company Ohio Living, during the panel. For organizations that have small IT teams, this can become cumbersome and time-consuming, which is why outsourcing gap analysis and other aspects of the assessment can help small organizations stay on top of their evolving security needs.

“When we look at mobile, Alexa, all the things that are coming to modify our networks,” a good cybersecurity program, based on a comprehensive look at a network and its vulnerabilities, can help CIOs manage the changes, as opposed to starting from scratch, said Miller.

Be Realistic About Cybersecurity Defenses

Despite constant cybersecurity vigilance, however, CIOs need to make sure that their board members and organization staffs understand that while assessments and comprehensive plans can help maintain organization defenses, there is always the chance of attack.

“It’s not if, it’s when,” said Yeager, noting that it can be easy to think that a breach will never hit your organization personally, but there is always the chance that it will, even with the best defenses. “Make sure board membership knows, if I’m executing my plan the likelihood [of attack] is lessened dramatically, but it isn’t zero.”

YakobchukOlena/Getty Images

aaa 1