Critical Elements of a Solid Cybersecurity ProgramFormer CISO Mark Johnson Outlines Five Fundamentals
Healthcare organizations often fail to address five fundamental elements of a solid cybersecurity program, says security expert Mark Johnson of the consultancy LBMC Information Security, who formerly was CISO at Vanderbilt University and Medical Center.
The first critical element is asset management, Johnson says in an interview with Information Security Media Group.
"You can't protect what you don't know. And the challenge with asset management today is how do you deal with that when we have cloud and vendor-supported environments. It's not 'where are my computers' anymore; it's 'where is my data.'"
Identity and access management, especially privileged access management, is also critical, he says.
"Identity is really the new perimeter we're dealing with nowadays. Because of the complexity and integration of these environments across the board, identity really defines perimeter of the infrastructure."
Logging and monitoring are essential, Johnson says, because "now you have a better understanding of who is doing what to whom in your organization. That logging and monitoring gives you the insights so that you can see what 'normal' looks like so that you can identify 'abnormal' activity."
Logging and monitoring has helped many entities bolster their incident response capabilities - another critical security component, he says.
And as organizations transition to an integrated IT environment, vendor risk management becomes more important, Johnson says.
"Traditionally, we spend a great deal of time at the beginning of a relationship with a vendor, setting up contracts and so forth," he says. "But we spend less time thinking about how that contract will be managed and the security of those vendors and what they're doing to protect the data or function we've given them."
Challenging Threat Environment
Understanding and dealing carefully with all five fundamental elements will help healthcare entities deal with "the very complex and challenging threat environment," Johnson says. Each element has to be "built into the operational environment of the organization" he adds.
In the interview (see audio link below photo), Johnson also discusses:
- How organizations can improve their approach to risk assessments;
- Which emerging security technologies are worth considering;
- What should be on the top of security priority lists for 2019
Johnson leads the healthcare security practice under the LBMC Information Security, where he is also a shareholder. He has over 26 years of information security experience. Before joining LBMC, Johnson led KPMG's national healthcare industry cybersecurity services. He was also previously CISO at Vanderbilt University and Medical Center.