The Case for a Cybersecurity Framework

I found this HIMSS Podcast and article to be timely and interesting.

The Case for a Cybersecurity Framework
August 05, 2019by Bayardo Alvarez, Director, Information Technology, Boston PainCare Center; HIMSS member and part of the HIMSS Global Conference & Exhibition Success Stories initiative
Growing Pains
So, what can healthcare organizations do to enhance their cybersecurity posture? Where can they find reliable, proven and universal guidance to secure their data and IT systems? How do they address security in new and emerging technologies? These were some of the questions we asked ourselves within my organization. As a young pain management practice, we developed internally and over time, a set of policies, procedures and controls that kept our data and network safe. Nevertheless, as we grew and matured, as we incorporated new technologies and complex systems into our network, and as our providers required new and better ways to access information and deliver care, we found ourselves more often searching for answers to these questions.
Enter the Framework
We knew that cybersecurity frameworks were instruments used to guide information security programs in large organizations. They offer processes, standards and methodologies to improve cyber defenses, and are often the product of a consensus-driven collaborative effort by large communities of experts in a variety of fields and industries.
At a first glance, these frameworks appeared intimidating. A vast collection of processes, diagrams and documents, which were so broad and comprehensive that we could hardly imagine implementing them in a small practice like ours.
However, as we looked closer and learned more about the different alternatives, we found that some frameworks possessed characteristics and offered certain benefits that would make them a good fit for our organization. As we dove deeper into our research, we realized that adopting a cybersecurity framework was feasible, and not a far-fetched idea as we initially thought.
Building the Case
The initiative to adopt a cybersecurity framework would have to be planned as a multi-year program, broken into various phases so that we could learn and adapt as we moved along from one phase to the next. We also wanted to gauge our progress in small periods of time, using the results of the previous phase to encourage and motivate our team into the next one.
The framework we were to select would have to be modular and flexible, allowing us to choose which parts and in which order to implement them. It would have to be easy to understand, since people from different backgrounds would be assisting and participating in the process. The framework would have to be easily scalable, which in our case meant scaling down to an organization of our size.
We already had a number of effective policies and safeguards in place, so our ideal framework should allow us to incorporate these into our program. Finally, we wanted a framework with the lowest cost of entry and with documentation and supporting material freely available, avoiding the process of procuring a budget and scoring an easier buy-in with management.
As of This Writing …
After a careful, thoughtful and well-informed analysis of our options, we selected a framework that best met our requirements and offered the benefits we were looking for. We are today in the very first phase of adoption and pleased with the wealth of information and supporting documentation we have found through different organizations that support and endorse our framework. We are encouraged with the progress we are making, and are excited and looking forward to the upcoming phases.