3rd Party Risk Management , Governance & Risk Management , Risk Assessments

Healthcare Security Risk Management: How Bad Is It?

Former Healthcare CIO David Finn of CynergisTek Discusses Sector's Weak Spots
David Finn, executive vice president, CynergisTek

During the COVID-19 pandemic, many healthcare sector entities - faced with so many new demands and added pressures - have shifted their attention and resources away from some of the most critical cybersecurity activities, says former healthcare CIO David Finn of consultancy CynergisTek.

See Also: A CISO's Guide to Communicating Risk

For instance, conducting security risk assessments and managing supply chain risk were among key areas of weaknesses last year for many healthcare sector organizations, he says in an interview with Information Security Media Group in which he discusses findings of CynergisTek's The State Of Healthcare Security & Privacy 2021 Annual Report.

The study, among other things, examined healthcare entities' conformance with the National Institute of Standards and Technology's Cybersecurity Framework and the HIPAA Security Rule.

Steps Backward?

Due to the COVID-19 crisis, many healthcare organizations found themselves dealing "with a whole new model of IT delivery," he says.

"So, a lot of organizations shifted their dollars from assessments to doing other things like buying new mobile devices to send home with staff, physicians and other caregivers. So, funds that would have gone to assessments and understanding what needed to be [mitigated] dried up and got used in other ways," he says.

"Unfortunately, that portends an even worse year next year, because a lot of those funds and the changes they were used to make with remote workers, telehealth - there were no assessments going on about the new risks that were being introduced. So, we're going to be a little farther behind in these areas, and we haven't been addressing them as they happen."

Supply Chain Issues

Meanwhile, supply chain risk management also is presenting challenges, the report shows.

"From SolarWinds to Colonial Pipeline to Microsoft to meatpacking plants - supply chain is just a whole new threat vector and an attack surface for everyone, but for healthcare in particular - and I'm not sure we have the focus there," he says.

"So it’s a good idea, with your own supply chain, to look downstream to see what [vendors] are doing in the event of a cyber incident, or the kinds of massive breakdowns we've seen in the supply chain across all sectors."

In this video interview, Finn, a featured speaker at the recent Healthcare Information and Management Systems Society 2021 conference in Las Vegas, also discusses:

Finn, executive vice president of strategic innovation at CynergisTek, previously was health IT officer at security vendor Symantec. Prior to that, he was CIO and vice president of information services at Texas Children's Hospital, where he also served as the privacy and security officer. He has more than 30 years of experience in the planning, management and control of IT and business processes.

About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.