How to get buy-in for healthcare cybersecurity investments

Healthcare CIOs are focused on several fronts right now due to the COVID-19 crisis. They are enabling a remote workforce as well as helping stand up telehealth initiatives and patient monitoring programs, all of which introduce new access points into healthcare networks and make a strong healthcare cybersecurity strategy more critical than ever.

But healthcare cybersecurity can be an uphill battle for CIOs and CISOs, who are responsible for raising awareness in the organization as well as making the case for technology investments to those who control the purse strings.

In this Q&A, Michael Archuleta, CIO at Mt. San Rafael Hospital in Trinidad, Colo., talks about how he gets executive buy-in for critical healthcare cybersecurity initiatives and explains why the healthcare industry needs to reinvent itself.

As a CIO, how involved are you in security?

Michael Archuleta: I'm in the trenches when it comes to cybersecurity initiatives. We are currently outsourcing to a [virtual] CISO, but it has been one of my critical points. Cybersecurity isn't just about data security, it's also a matter of life and death … the problem is a lot of [IT] organizations are having a hard time selling cybersecurity investments to the organization because the boards of directors don't understand what cybersecurity is.

How do you get the board of directors to invest in cybersecurity?

Archuleta: My cybersecurity buy-in success has been focused on what we call FOR -- financial, operational, reputational. Those are critical elements that the board of directors and additional executive teams understand. What would happen to this organization from a financial standpoint if a cybersecurity breach happened? What would happen to this organization from an operational standpoint if a cybersecurity breach happened? And what would happen from a reputational standpoint if a cybersecurity breach happened? That is a critical element of starting the conversation. Trying to develop a strong return on investment to show the benefits of specific tools we're implementing or bringing back to the organization is also a critical element.

Michael Archuleta

What cybersecurity tools or practices are you using?

Archuleta: We're focusing a lot on creating strong cybersecurity awareness training programs … of understanding what cybersecurity is … and building teams that collaborate and help change the culture of the organization. If you look at last year's numbers, 91% of all ransomware attacks targeted at healthcare organizations came through a phishing email, and those phishing emails are basically targeting our employees.

We're also utilizing artificial intelligence [and] predictive analytics. We're looking at specific abnormalities within our network environment to basically predict an attack before it happens. We're also utilizing a product through a company called Cylera that allows us to have full visibility of all internet of things [devices]. Having that full visibility assists you in developing a plan to ensure mitigation of risk within the environment -- because when you look at medical devices, that's becoming a major problem. We're also incorporating smart technology like identification management, single sign-on and two-factor authentication.

How do you view the future of cybersecurity in healthcare?

Archuleta: This industry has to reinvent itself. We're starting to really see the Googles, the Apples, the Amazons of the world, taking more of a driving approach on healthcare. This industry needs a major disruption. If you look at the iPhone alone and see all the security essentials that are associated with it, you have full facial recognition … and they're continuing to improve on that. Why can't we do that on the healthcare standpoint, especially on an identification management standpoint or for patients coming in. We would see so many less breaches moving forward. But again, this industry has been so behind the curve when it comes to technology … we need to continue to innovate, continue to think outside the box. We need to make sure that the cybersecurity team has a seat at the table. We need to make sure there is full understanding from the financial, operational and reputational standpoint, a culture built around cybersecurity and an understanding of what it brings. 

Editor's note: Responses have been edited for clarity and brevity.