‘Not Just a Project That Has a Finite End’
Understanding clinical and computing assets at Children’s National and mitigating associated risks was a major aspect of building out the organization’s cybersecurity program when MacVey became CIO two years ago.
“This is a program that is ongoing,” MacVey said. “It starts with getting visibility and then putting in management oversight structures.”
Clinical devices are a vulnerability in a healthcare organization’s cybersecurity posture, Groome added, so taking inventory and building a deeper understanding of what everything is doing is crucial and informs the broader security program.
“Those clinical assets and understanding how they’re behaving informs the larger IT asset and connected asset program that we’re working on with Matt and his team,” Groome said.
Healthcare organizations need to assess their unique challenges and gauge their risk tolerance. An organizationwide understanding of security is imperative.
“How do you get to the things that are most important in the organization from a security perspective? You can’t do it all in the first year or second year. This is a program,” Groome said. “It’s not just a project that has a finite end. This is something that needs to be built into the operations of the organization.”
Understanding Security Risks as Harm to Patients
At Children’s National, MacVey said that educating all stakeholders about the risk vulnerable devices pose to the organization’s environment helped foster better understanding. Emphasizing the threat not in IT terms but in the context of the potential harm it could bring to their young patients raised the urgency around better device management.
“When we’re having conversations with the board, we’re not talking about technical cyber issues. We’re talking about organizational challenges, the risk to your patients, the risk to your community,” Groome said. “This is about trust. If that trust is breached, it’s a reputational issue as well.”
Education is a key part of a healthcare organization’s cybersecurity posture, especially involving leadership. Conversations must include the risks to patient safety, operation uptime and the balance sheet.
MacVey added that addressing the problem of device visibility as a business continuity risk “lays the groundwork for other security strategies.”
Operational integration also involves educating and involving all stakeholders working together to deploy the organization’s security program.
“Everything that you do digitally in your organization needs to have security, privacy and risk assessed for your unique needs,” Groome said.