Tag: cybersecurity

Cybersecurity: What You Need to Know to Find the Right Partner and Price | Webinar

May 17, 2022
On-demand Webinar

Cybersecurity: What You Need to Know to Find the Right Partner and Price

Access the on-demand webinar, which was delivered live on May 17, 2022.

We’ve all seen the headlines. Cybersecurity attacks are on the rise and often cause massive disruption – from financial loss and supply chain issues to corporate reputation damage. Enterprise leaders know they must take action, making cybersecurity a significant area of focus.

But with the rapid pace of change and push toward digital adoption, enterprises are struggling to identify the right vendors, determine the right price, and keep up with evolving operating models. Do you know the price you should be paying for the right level of cybersecurity?

Join this webinar as our experts explore:

  • How to select the right cybersecurity vendors
  • How to ensure that you are paying the right price for cybersecurity services
  • How to structure cybersecurity in your organization
  • Why cybersecurity is a top priority for enterprises and what the cybersecurity market size and future growth look like

Who should attend?

  • CISOs, CIOs, CMOs, CFOs, CTOs, CDOs
  • IT department heads
  • Sourcing leaders
  • Strategy leaders
  • Cyber security strategy leaders
Kumar Avijit Light Grey
Kumar Avijit
Practice Director
Rahul Gehani Bio Picture V1 2021 03 26
Rahul Gehani
Partner
Sundrani Ricky Refresh gray square
Ricky Sundrani
Vice President

Related Content 

Building a Resilient Supplier Cyber Risk Management Strategy | Blog

April 28, 2022

Sharing sensitive data with outsourcing providers in today’s interconnected digital world has increased organizations’ vulnerability to cyberattacks, making it more important than ever to have an effective supplier cyber risk management strategy. To protect against threats, read on to learn the best practices for supplier cyber risk management.  

In today’s risky and interconnected environment, it has become essential for organizations to have a supplier cyber risk management strategy to identify, protect, detect, respond, and recover from supply chain cyberattacks.

The critical importance of relationships with outsourcing service providers has been amplified by the pandemic and recent geopolitical turmoil due to the Ukraine-Russia crisis. Outsourcing suppliers now play a vital role in running business operations, and these partnerships have grown more sophisticated.

With data sharing between the two parties increasing multifold, organizations have greater exposure to ransomware attacks, phishing, denial-of-service, and other cyberattacks.

Depending on the sensitivity of data shared with suppliers, the potential risk of data loss can impact an organization’s business operations – making it essential to develop a supply chain cyber risk management plan to protect from significant financial and operational impacts.

Not having a formal supplier cyber risk management strategy can cause compliance issues. With scrutiny on global supply chains intensifying, a lack of supplier insights can lead to government regulation violations, resulting in financial losses and tarnishing an organization’s brand.

As suppliers have access to sensitive and business-critical information, managing permissions and protecting data from unauthorized access, misuse, and data loss become crucial.

Further, many other risks exist from a supplier’s operational perspective, including issues related to geopolitics, bankruptcy, and macro risks. Organizations should have complete supply chain visibility to rapidly respond to susceptibilities and disruptions at the supplier’s end.

All of these factors can have a long-lasting impact on an organization’s image and reputation, potentially deteriorating customer loyalty and trust. Hence, having a resilient supplier cyber risk management strategy that includes visibility, transparency, clear communication, and collaboration has become non-negotiable for organizations.

The Everest Group risk management matrix

Let’s take a look at the different risk scenarios and their remedial measures below:

Picture2 1

Exhibit 1: Everest Group Supplier Management Toolkit: Risk Management in Outsourcing

Best practices for developing a supplier cyber risk management strategy

Developing a Supply Chain Risk Management (SCRM) program is indispensable for organizations as they become increasingly vulnerable to supply chain attacks.

Currently, the risk management focus in outsourcing is limited to compliance requirements such as the Sarbanes-Oxley Act (SOX), Service Organization Control (SOC) certifications, industry-specific compliances such as Health Insurance Portability and Accountability Act (HIPAA) and Health Information Trust Alliance (HITRUST), and criminal background verifications.

Other vital factors such as geopolitical and offshoring risks have not yet become key executive priorities. Further, as more companies lean on service providers to drive digitalization and corresponding transformation in their outsourced processes, organizations rarely try to identify potential risks and establish associated mitigation/contingency plans.

Some industry best practices such as ISO/IEC 27036:2013 and the NIST Cybersecurity Framework have been updated to include information security for supplier relationships, highlighting the importance of SCRM in corporate security. In terms of cyber security, this involves:

  • Defining cyber security requirements and measures that apply to suppliers based on their risk category
  • Enforcing these requirements via formal agreements (e.g., contracts) to ensure suppliers enter a binding commitment
  • Verifying and validating communication and access from and to suppliers
  • Ensuring effective implementation of cyber security requirements
  • Managing and supervising the above activities periodically

To optimally engage with and manage suppliers, the entire supplier life cycle should be organized into these three phases:

  1. Before and during the contracting phase – Screening suppliers before onboarding is essential for organizations to assess financial, operational, and reputational aspects. Procurement heads need to carry out background checks to ensure suppliers’ compliance status and performance viability. An exhaustive contract with legally binding responsibilities related to cyber security for both the organization and its suppliers should be created. This contract should define fundamental and high-level security requirements and privacy-based controls for supplier relationships at every point in the life cycle
  2. During the ongoing relationship – Once suppliers are onboarded, organizations must track all assets suppliers can gain entry to in a central repository. Customers should categorize suppliers into different risk classes based on how critical the information is to further define appropriate cybersecurity controls. These controls should be continuously evaluated to ensure adherence
  3. After the termination of the relationship – Offboarding a supplier requires disabling its logical and physical access, removing access to any data, and destructing it to ensure the supplier doesn’t hold any sensitive data. This phase also requires ensuring no severity incidents are pending and facilitating proper handoff between suppliers

Prevalence of risk management processes in the supplier life cycle

How common is it for organizations to have established risk management processes in each of the third-party life cycle steps? Our polling results show while most organizations have these safeguards in the first stage, fewer use them in later phases, as illustrated below:

Picture1 2

Exhibit 2: Everest Group’s Webinar Quick Poll (Could Your Business Partners Be Offering More Risk than Support?)

The supply chain for almost any organizational procurement activity can be the target of cyberattacks, either by going after the supply chain or the supplier’s/organization’s systems, once they are integrated.

More complex and sophisticated attacks are often left undiagnosed or unreported, making them potentially more disastrous for enterprises. At different points in the supplier management life cycle, stakeholders across organizations will have the primary responsibility for establishing and maintaining effective supplier cyber security controls.

Vigorous governance is required to ensure relevant stakeholders are responsible at the right time to guarantee optimal and best efforts are made to combat any cyber threats. To complement this governance, a strong collaborative culture across different departments is needed to drive continuous improvement.

Learn how to create an effective program for your organization in our executive brief on Cybersecurity Risk Management in the Supplier Life Cycle, part of our supplier management toolkit.

Please reach out to [email protected] to gain further insights on supplier cyber risk management or Contact Us.

Discover even more about cybersecurity in our current environment in our webinar, Cybersecurity: What You Need to Know to Find the Right Partner and Price.

Believe In Zero Trust – How a Familiar Yet Uncelebrated Model Can Protect Your Organization from Cyber Attacks | Blog

September 14, 2021

Given the meteoritic rise in ransomware attacks during the pandemic and persistent cybersecurity challenges, the need for effective measures to protect sensitive data and IT environments from rising assaults is greater than ever. While zero-trust security architecture offers many potential benefits, adoption of this long-talked-about framework has been slow for various reasons. But with even the White House hitting the gas on zero trust, the timing could be right for more widespread implementation. Read on to learn about how your enterprise can overcome the hurdles and move to zero trust.    

Zero trust, a framework for the design and implementation of IT security systems, has been in the market for quite some time now. First coined by Forrester, it gained popularity when Google announced the implementation of the zero-trust network through BeyondCorp after a series of cyber-attacks in 2009. Ever since the National Institute of Standards and Technology (NIST) formalized the approach in late 2020, the computer security approach has become mainstream.

But despite the entire industry being widely familiar with the terminology and underlying principles and architecture, why has enterprise-level adoption lagged when the benefits outweigh the investment? Before we dive deep into the reasons behind this reluctance in the market, let’s explore the core tenets of a zero-trust security approach.

The guiding principle for zero trust is “never trust but always verify” and is built upon the following assertions:

  • Every part of the network is potentially hostile
  • Both external and internal threats always exist on the network
  • Every device, user, and network flow must be authenticated and authorized and should not be trusted by default
  • Limiting excessive user privileges should be the fundamental motto
  • Micro perimeters/micro segmentation should be created around critical data, applications, and services

The key tenets of zero-trust security can be summarized as follows:

Picture1 1

Why hasn’t zero trust been fully embraced?

Even though security leaders across product vendors as well as analyst firms have been preaching the benefits of a zero-trust security approach across enterprise cybersecurity, adoption hasn’t picked up. Among the key enterprise challenges and the apprehensions by security leaders surrounding its wide-scale adoption are:

  • Misconception of zero trust as another technology solution: The most common problem that we have seen in enterprise cybersecurity teams is their belief that any new challenge can be best solved by implementing a new technology or solution. The love for a new solution is so strong that enterprise leaders often forget that zero trust is a concept that does not have a single solution. Enterprises are often lured by the marketing gimmicks of product vendors that provide some aspect of zero-trust security through the solution. This results in either lower or no effect of the promises made by the zero-trust security approach
  • Challenges of network micro segmentation: One of the key aspects of zero-trust security is focused on protecting the networks and the associated recommendations in the network architecture by breaking down the erstwhile monolithic perimeters into micro perimeters to concentrate on granular security controls and access. Given a large number of applications, their dependencies, services, and the users involved, it becomes challenging to implement and maintain micro perimeters. Enterprises with disparate security controls and network products are subsequently unable to provide end-to-end visibility
  • Complexity in brownfield implementations: There is no doubt that zero trust can be best adopted in greenfield security projects, given the existing IT landscapes are so vast and complex. But a single change can cause great havoc and a ripple effect across the enterprise systems if not implemented correctly. While enterprises are expected to take a step-by-step approach rather than a rip-and-replace approach, many organizations that started this journey were left devastated in their approach to rebuild the network by undertaking a massive one-shot effort. The challenge also comes in integrating existing capabilities with new solutions to implement new capabilities to extend zero trust across the enterprise IT
  • Myth that zero trust is for on-premises: Enterprises have been grappling with a long-running myth that the entire concept of zero-trust security is centered around the building blocks of enterprise IT if they are located within enterprise distributed control systems (DCS) as most of the existing research talks about not trusting everything within their corporate networks. Also, some enterprises still do not think of cloud security as a shared responsibility model with the hyperscalers and hence do not plan to extend the zero-trust security approach to the cloud, thus leaving their assets on cloud and multi-cloud architectures at risk

Six Key Considerations for Enterprises Moving Ahead in the Zero Trust Journey

Zero trust can offer many benefits beyond improved data protection and greater compliance, including greater visibility across the enterprise, security for the growing remote workforce post-pandemic, and an improved end-user experience.

Here are some recommendations for moving ahead:

  1. Take a step-by-step approach for a long journey: While zero trust adoption can lead to a significant business transformation, framework adoption does not necessarily translate into a radical overhaul of existing cyber capabilities. Enterprises must understand that zero trust needs to be thought of as a journey to implement the strategic changes
  2. Establish the current baseline: Just like other security implementations, understanding what and why is of the utmost importance to see the benefits of following this path. Start by identifying the crown jewels – data and workloads – and create a security policy and control framework. The idea is not to give hackers an opportunity to start an attack
  3. Leverage the existing cybersecurity stack: Reuse the existing investments made for threat detection, identity and access management, network, endpoint, and data security to integrate with the zero-trust security approach. Focus on preventing any cloud misconfigurations and put an end to visibility of data, policy, and communication between apps, infrastructure, network, and other components in the environment
  4. Understand that trust is never guaranteed: Enterprises must understand that trust is not guaranteed by any solution but needs to be verified at policy enforcement points before access is provided
  5. Combine zero trust with the broader digital transformation umbrella: Enterprises can combine zero trust transformation along with their IT digital transformation initiatives (including cloud and data center migration) to extract significant synergies and remove the hurdles of adopting zero trust in brownfield implementations
  6. Embrace the change: The entire journey will only be successful if all the stakeholders in the organization are ready to embrace the new ways of working in a dynamic and adaptive cyber organization with close collaboration between business and technology stakeholders

If the right cybersecurity measures are not implemented, attacks will only become more frequent and successful. Enterprises should put faith in zero trust as a security model that can provide greater protection in today’s high-risk environment.

Follow this space for our continued coverage of cybersecurity. To share your experiences and ask questions, please reach out to [email protected] or [email protected] or [email protected].

IT Supply Chain Attacks Are Rising – What Steps Can You Take To Protect Your Interconnected Enterprise Systems | Blog

July 28, 2021

As enterprises have worked harder to protect their IT systems throughout COVID-19, saboteurs have gotten more aggressive in their attacks, going after a trusted piece of hardware or software and hijacking an entire supply chain. What steps can you take to prevent these full enterprise cyber assaults? Read on to learn more about why IT supply chain attacks are on the rise and how to take action.

The COVID-19 pandemic opened enterprises’ eyes to the need to secure their IT systems from malicious threat actors, cyberattacks, and ransomware. With a renewed vision on hardening security controls and perimeters, applying least privilege access controls, and transitioning to improved threat detection tools and technologies, the usual entry points for bad actors have become non-existent.

But threat actors haven’t gone away. With the easier routes shut down, they are now targeting entry points like third-party software and hardware that are beyond most enterprise’s scope and control.

If enterprises only needed to think about thwarting attacks by looking at the firewalls, endpoint security solutions, and Identity Access Management (IAM), the task would be much easier. But since enterprise systems are interconnected, the extended enterprise needs to be considered – and defended.

Understanding the supply chain attack ecosystem

A supply chain attack is defined as an attack that occurs when an attacker/malicious threat vector infiltrates the system through an outside partner or provider that has access to critical data and systems.

The key supply chain attacks can be classified across these six broad categories based on the nature of their origination in the software/hardware supply chain shown below:

Picture1 4

Why are supply chain attacks becoming lucrative?

While supply chain attacks have been prevalent for some time, they have been gaining tremendous traction, especially post-pandemic when vendors lost control and a view of key critical vulnerabilities in their existing products.

Among the key reasons for the prevalence of attacks are:

  • Economies of scale: It is important to understand that a supply chain attack is not directly targeted towards a particular organization. The goal is to infect source codes and legitimate apps/firmware and gain entry within an enterprise to potentially access all enterprises using it. With one placed intrusion, cybercriminals create a springboard to the network of suppliers’ customers. It is rewarding for attackers to have continuous access to new targets without investing in a new tool until the threat is revealed
  • Enterprise trust: Improvements in the enterprise security mechanisms have contributed to the increase in supply chain attacks. Enterprises have put strong defense mechanisms in place that cut off the easy routes to infections, thus pushing attackers to find different ways to infiltrate soft targets. Limited security awareness and non-implementation of security best practices have resulted in enterprises blindly trusting their vendors, third-party applications, and open-source codes. Attackers leverage this blind trust to make their way inside enterprises as this offers a path of least resistance
  • Hard to detect: Most of the supply chain attacks that we have heard of involve adding a backdoor to a legitimate certified software or firmware update that is nearly impossible to detect by existing tools and methodologies. Also, detection at the vendor’s end is difficult as they do not anticipate that the code could be targeted during the development stage. By the time the vendor detects an attack at the end of the cycle and quietly fixes it with their next update, the damage is already done

 Best practices to mitigate supply chain attacks

As with other cybersecurity attacks, the old saying, “The broader question now is not about if the organization will get hacked but when it will get hacked,” still holds. As supply chain attacks do not directly infiltrate the enterprise environment, detecting them brings many challenges for enterprises, especially smaller ones with limited awareness and investments.

Here are best practices enterprises can adopt that can potentially mitigate some of these attacks:

  • Understand the enterprise IT supply chain – The first step for any successful attack mitigation strategy should start with a comprehensive and holistic understanding of the supply chain. It should provide a view of the vendors, open-source projects, IT and cloud services, inventory of all third-party tools and services, and software dependencies hiding inside an organization and their security and licensing issues
  • Trust no one – Similar to the zero trust principles that urge enterprises not to trust but verify; enterprises should stop blindly trusting their third-party vendors. Enterprises need to understand that the severity and diversity of threats challenging them to apply equally to vendors as well. Any small error on the vendor’s part can be devastating for the enterprise not only in financial drains but also on the reputation and trust of stakeholders
  • Limit access to sensitive data – Enterprises must have a properly detailed mapping of data being shared with third-party systems, the privileged users, uses of the data, and key security controls. Limiting access to privileged resources, including access to core data, reduces the chances of the impact from attacks originating at the vendor’s end
  • Ensure vendor assessment and controls – When choosing vendors, enterprises need to conduct a detailed evaluation and due diligence of the existing cybersecurity framework and adjust accordingly what data needs to be shared, with whom, and the communication mechanism. Apart from rigorous assessments, enterprises should implement strong perimeter controls for vendor access such as multi-factor identification and network segmentation, and ensure that the access of data and systems is there until it is required
  • Focus on development pipeline risks – Developer workstations with rights to create, modify, and commit code have been key targets for attackers. Enterprises need to think about shifting the security left, securing their continuous integration and continuous delivery pipelines, and using Endpoint Detection and Response (EDR) to detect endpoint anomalies. By bringing security into the development lifecycle earlier, developers can detect and fix vulnerabilities, thereby ensuring that security is baked into the product rather than being a bolt-on
  • Protect from insider threats – Shadow IT has been a key cause of concern for most enterprises. Not only do enterprises lack a view of the unauthorized software and tools used by enterprises, but they also don’t have proper control mechanisms to check the usage. Employees also represent a significant insider threat to security and, as a result, targeted phishing or social engineering campaigns have become widespread. Thus, enterprises need to put in appropriate controls to mitigate the risk from insider threats
  • Plan your incident response – Taking initiatives to prevent supply chain attacks does not negate the possibility of them occurring. Threat actors can permeate enterprise systems through paths and backdoors that often get unnoticed and undetected, making it necessary for enterprises to also focus on response and remediation. By planning for the worst, enterprises can understand what is happening during a breach, how to engage with suppliers, and work together to mitigate the damage faster

Follow this space for more blogs on cybersecurity. Meanwhile, please feel free to reach out to [email protected] or [email protected] to share your experiences and ask any questions.

Cybersecurity Risk Management in a Post-pandemic Era | Blog

May 11, 2021

The intensity and severity of cyber events has accelerated during the COVID-19 pandemic as more and more people are working remotely and from home. This increasing frequency of cyberattacks has brought volatility to the already spiking claims losses causing many to wonder how enterprises and insurers can manage cyber risks in this new era. Our three-part blog series will explore this as well as initiatives to deal with cyber insurance challenges and what the future may hold for the cyber insurance market and its impact on enterprises.

The global cyber insurance market currently stands at nearly US$7.8 billion and is expected to grow at more than 20 percent CAGR over 2020-25, driven by the increasing number of cyber-attacks, the increasing need for IT compliance and regulations, and massive financial and non-financial losses (such as reputational loss system downtime, reduced efficiency, etc.). McAfee has reported that in 2020 these losses reached nearly US$1 trillion, increasing about 50 percent from 2018. To put this in perspective, the losses account for nearly 16 percent of the global insurance premium volume.

Pandemic forces change

The pandemic has forced enterprises to rapidly shift to a remote/work-from-home format, compelling them to re-think their cybersecurity strategies, reassess their cyber threat exposures, and develop cyber policy plans that can adequately manage any potential threats.

Enterprises are not alone. Insurers have been significantly impacted by the rapid growth of cyber-attacks and burdened with the dramatic increase in claims losses from the policies sold. In 2020, the insurance industry is estimated to have faced more than a 27 percent increase in the number of claims, primarily driven by the increasing intensity of ransomware and phishing attacks, according to a report by insurance company Allianz. As these threats evolve and their severity increases, insurers are constantly facing the challenge of controlling these claims losses.

While the global pandemic has accelerated technology adoption, at the same time, it exposed cyber vulnerabilities and under-preparedness in enterprises, an analysis of the World Economic Forum’s Global Risks Report 2021 found. As the adoption of complex technologies such as AI/ML (artificial intelligence/machine learning) tools, IoT (Internet of Things) devices, and cloud infrastructure has increased, so too has the complexity of cyber-attacks. While cyber-threats such as phishing, ransomware, trojans, and botnets have remained prevalent, risks exist for more evolved and unknown strikes such as industrialized social engineering attacks.

With the growing sophistication of cyber-attacks, the average cost per attack for firms has also gone up. According to a survey conducted by McAfee, 67 percent of the surveyed companies reported that the average cost per attack was more than US$500k. Addressing the threat of cyber risk and plugging these losses is a critical priority for business leaders. However, efforts to back up IT resources and data and set broader cyber response plans have been limited due to a lack of expertise.

Cyber risk measurement and analytics needed

Today, we are observing an increase in demand for cyber risk measurement and analytics capabilities as organizations look for the right cybersecurity talent and technologies to help address these challenges. Insurers are trying to provide enterprises with the right cyber insurance policies to help curb these losses. However, they face their own set of challenges, including the underwriting of cyber insurance policies. A lack of historical data limiting their ability to accurately model risks, drive precision in pricing risks, and create coverage loss limits. Some cyber events go unreported, challenging insurers to get adequate information on cyber-attacks. Without an accurate cyber risk assessment, these policies may be ineffective, exposing insurers to significant losses in a major cyber event.

Another key challenge for insurers while underwriting cyber risk is ‘accumulation risk.’ While dealing with cyber risk, insurers must be aware of the increasing interconnectedness within networks that lead to dependent vulnerabilities of the commonly used systems that may translate into an untargeted spread of the attack to the adjacent networks. This adds a layer of complexity to underwriting, taking into consideration an unplanned impact on a larger number of clients.

Mounting claim losses raises concern

Growing claims losses due to increasing frequency and severity of attacks is another key concern for insurers. In mid-2020, an American GPS and fitness tracking company was a victim of a ransomware attack where a demand was made for US$10 million to get its systems back online. Similarly, in other cases companies have faced large monetary and non-monetary losses that translated into an increasing loss ratio for insurers. In the US, the average loss ratio for the top 20 insurers (who offer standalone cyber insurance policies) by Direct Written Premium in 2019 increased to 48.2 percent from 34.5 percent the prior year, according to a report on the US cybersecurity insurance market. For 2020, these loss ratios are expected to shoot up dramatically, given that the industry has already started calling 2020 a loss-making year for cyber coverages.

Managing cybersecurity risk is all about anticipating loss and building a sound strategy and plan to both prevent and quickly respond to threats by taking these actions:

  • Enterprises must beef up cybersecurity capabilities and invest in the right set of technology and talent levers to bolster cyber risk assessment capabilities
  • Insurers must identify the full set of dependencies to assess the complete severity of the attack

Failure to embrace cyber risk management could have severe consequences and leave organizations so far behind that they may be unable to catch up. To address these challenges, enterprises and insurers must proactively work together to mitigate cybersecurity risk.

Next in this three-part series is Cyber Insurance Market Dynamics, where we will discuss the measures taken by both enterprises and insurers to address these challenges. While enterprises are investing in Identity and Access Management (IAM) software, endpoint encryption, and other technologies, insurers are putting their money into bolstering underwriting efforts to model cyber risks more accurately.

If you’d like to share your observations or questions on the evolving cybersecurity and cyber insurance landscape, please reach out to Supratim Nandi ([email protected]), Mehul Khera ([email protected]), or Barbara Beller ([email protected]).

.

Taking a Value Chain-led View to Secure Healthcare Enterprises | Blog

February 24, 2020

Between 2018 and 2019, the US healthcare industry experienced a five-fold increase in patient data breaches, with hacking accounting for more than 88 percent of them. More than half of the targeted entities were healthcare providers, primarily due to inadequate investments in cybersecurity and the negligence of unsuspecting employees.

Patient data is sacrosanct for the healthcare industry given its highly sensitive nature. In fact, patient Electronic Health Records (EHRs) are priced 10 times higher than credit card information on the dark web. Given that healthcare data is a lucrative target for cyber attackers, healthcare CXOs need a guided approach to secure their patients and enterprises against cybersecurity threats.

A value chain-led view of cybersecurity

Healthcare enterprises are becoming increasingly vulnerable to attacks as patient-centric care takes center stage and care delivery models such as mHealth and remote monitoring become commonplace. So, they must identify their crown jewels – patient data, care delivery applications, and medical devices, among others – across the value chain and allocate their cybersecurity investments accordingly. To do so, they need to contextualize threat intelligence, understand attackers’ behavior and intent, and make appropriate investments in cybersecurity to increase preparedness and reduce response time in the event of a breach.

Stress-testing the value chain-led view

To hack-proof their estates, healthcare enterprises need to adopt a value chain-led view to identify and alleviate cybersecurity concerns across four areas:

  • Patient engagement: Patient care starts as soon as a patient is made aware of a health condition. To prevent any patient data leaks, healthcare applications must be HIPAA-compliant, designed with patient privacy at the center, and have strong identity and access management controls.
  • Care/case management: The primary activities in care/case management are appointment scheduling, remote consultations, and mHealth application use, for which physicians need access to sensitive EHR data. It’s important to incorporate patient identity verification and data security layers for EHR access, as well as to build in network and endpoint security protocols to protect EHRs and devices connected to them.
  • Diagnostics, treatment, and monitoring: As medical devices increasingly connect to the provider network, malware attacks aimed at halting care operations threaten to disrupt hospital functioning. Healthcare enterprises can strengthen their endpoints by adopting malware protection, endpoint detection and response solutions, and device management software. Additionally, providers need to prevent unauthorized access to their systems.
  • Financials and network management: Providers should also invest in data and network security to make sure all patients’, payers’, and banks’ financial transactions are safe and secure.

Here’s an example of how a healthcare provider can prioritize its IT security investments in accordance with its business priorities by taking a value-chain view.

digital healthcare provider enterprise

Setting the wheels in motion

Once healthcare enterprises have identified what to do to bolster security across the value chain, they need to think about how to do it. We recommend a three-phased approach:

  • Prioritize: Enterprises need to prioritize their investments and chart out a strategic and technical implementation roadmap. Having a cyber architecture in place, along with a future security plan, will aid implementation.
  • Evangelize: Once implementation begins, providers should address internal risks and change management by combining a consultative approach with a sharp focus on managed services. They should ensure that all business units across the value chain are involved for a harmonized security view.
  • Protect at scale: They should also invest in talent, short-term detection, and long-term threat investigation capabilities across the value chain, as well as solutions contextualized for threat management.

A real-life example of the value chain-led approach in action

US-based Trinity Health adopted an enterprise-wide data security strategy in the aftermath of the WannaCry ransomware attack in 2017. It implemented an asset management plan to govern its connected devices and networks to improve its response to adverse events. It also instituted an event response team to isolate, contain, and deploy patches when threats were identified. Realizing that its employees could also be vulnerable targets, Trinity Health initiated exercises to help them recognize and respond to cybersecurity threats. And that’s not all; it also leveraged the National Institute of Standards and Technology (NIST) Cybersecurity Framework to redesign its procurement process, technology and security assessments, and supplier evaluation responsibilities to recover in case of actual emergencies.

In an industry committed to digital transformation and increasingly embracing patient-centric care, healthcare providers must devise a well-thought-out cybersecurity strategy to protect their crown jewels across the value chain. This is the only way they’ll retain patients’ trust, drive brand value, and ensure better outcomes for all stakeholders involved.

EG with tagline Neg
Linkedin-in Facebook-f Play Instagram
Better Decisions Powered by Tenacious Research    

Contact Us

Who We Are

About Us

Newsroom

Office Locations

Partners & Affiliations

What We Offer

Memberships

Custom Decision Support

Published Research

Careers

Why Everest Group

Explore Openings

Equal Opportunity Employer

Resources

Access Reports

Citation Policy

Everest Group Market Intelligence (EGMI)

Legal

Using the Reports Portal

©2023 Everest Global, Inc.         Privacy Notice          Terms of Use        Do Not Sell My Information

How can we engage?

Please let us know how we can help you on your journey.

Contact Us

"*" indicates required fields

Please review our Privacy Notice and check the box below to consent to the use of Personal Data that you provide.
Consent*