How HIT Leaders Balance Cyber & Business Continuity Risks

Healthcare organizations must minimize the cyber risks to the organization, working to secure critical assets and sensitive data. At the same time, they must work diligently to ensure nothing ever comes in the way of their ability to deliver care — with business continuity and uptime being entirely non-negotiable. The show must always go on.

So what happens when improving cybersecurity means pushing changes that could require downtime or interfere with the existing system design? It's a question that's all too familiar to the IT, Security, and Operations teams within healthcare delivery organizations. And unfortunately, there's rarely an easy answer.

A Complex Balancing Act

In Health Information Technology (HIT), effective risk management ensures that sensitive information is protected from cyberattacks and breaches while also ensuring compliance with regulatory frameworks like HIPAA.

Meanwhile, operational excellence in HIT involves optimizing processes, improving efficiencies, and delivering continuous, undisrupted, quality services. It's all about business continuity. And managing both cyber risks and business continuity risks is vital. In practice however, they're often pursued at each other's expense.

In hopes of cracking the code on that conflict, we sat down with HIT leader and University of Kansas Health System CISO, Michael Meis for a webinar on Risk Management & Operational Excellence in Healthcare IT.  

During our conversation, Michael shared his recommendations for finding ways to balance the need for cyber-minded change with the need to keep things constantly going — and how to improve your standing in one of these pursuits without a decline in the other. 

From Visibility to Action: Building a Proactive Security Posture

While visibility is an important component of keeping an organization secure, effective cybersecurity must also be actionable and proactive. As Michael explains, "We can see things now that we couldn’t see or even dream of seeing 5 or 7 years ago. And now we know there’s blood all over the floor. So the pertinent question is what you're going to do to clean it up?”

In other words, successful security solutions need to not only identify issues but also fix them. As Michael tells it, the how do we fix it? question is always at the forefront of his mind and it needs to be answered and re-answered in different ways every day.

According to Meis, configuration posture management represents an especially vexing challenge. "It's like stopping to ask yourself, 'Did I lock the door before I left home today? Did I close all the windows? Is my garage door closed?' I need to keep a running tally of all of the digital equivalents of things that would just allow someone to walk in and take my stuff.” 

Under Michael's watch, UKHS maintains a baseline configuration standard across their environment and actively monitors for any deviations — especially on public-facing systems. Once identified, deviations can then be addressed quickly in collaboration with their endpoint infrastructure teams. It's important, Michael notes, that the baseline be regularly reviewed and updated, since what was secure a year ago may now be "very exploitable."

The Shifting Red Line of Acceptable Risk

In healthcare, the stakes are high. With life-and-death situations and deeply personal data in play, acceptable risk must be carefully defined and regularly re-evaluated.

This is because acceptable risk is a moving target. IT leaders often hesitate to implement changes due to the fear of downtime or disruption, leading to prolonged inaction. But as time passes, those unaddressed risks accumulate. And what was once tolerable becomes dangerous.

As Michael explains in the webinar, the key lies in aligning security with real-world usage. By asking how users need to interact with their devices — and how those devices are actually being attacked — security teams can strike a workable balance between protection and functionality.

For instance, UKHS had long struggled to eliminate SMBv1, an outdated and exploitable protocol. With GYTPOL, they were finally able to detect where SMBv1 was still active, disable it where appropriate, and track exceptions based on business need. When those exceptions were no longer justified, they could remove them with a click, adapting their risk posture in real time.

Ultimately, healthcare delivery organizations (HDOs) must recognize that risk tolerance expires. Technical debt turns into security debt, and the cost of waiting only grows. Organizations need to ask themselves what level of risk they are willing to take on. And they must continually assess where they stand in relation to that determination, understanding that technical debt compounds over time and that unresolved security gaps lay out the welcome mat for bad actors to attack.

Fast ROI and Long-Term Value

When it comes to getting budget for innovation, value needs to be clear and fast. That's because when something is truly innovative, it won't likely fit into any pre-existing budget line item. This can present a challenge. Which is why Michael always uses a proof-of-value (POV) model to justify new technologies.

Michael works with the vendor designing a cost-friendly trial to prove the point and clearly demonstrate value over a limited stretch of the estate and relatively short span of time. In that way, by the time it goes through procurement the value is already clear. 

When it came to GYTPOL, for example, UKHS started their POV in the morning and by lunchtime it was running across a couple thousand devices. That speed translated to immediate visibility and remediation, which translated to rapid value realization.

Significantly, that momentum has been maintained for over a year now. GYTPOL has saved UKHS an estimated 3,000 people-hours — nearly two full-time employees' worth of time. GYTPOL has further helped by identifying and fixing issues they previously didn’t even know existed. Overall, the HDO says it's been able to reduce organizational risk by over 30%.

“It's really been a key part of our risk reduction strategy,” Michael says. Ultimately, it's allowed the team to fill critical gaps in their security stack that they hadn’t been able to address before.

Michael admits he was skeptical at first. When he met Tal Kollender, GYTPOL's founder, he didn’t believe the platform could do what it claimed, or that even there was a big enough problem that he needed to address. But after seeing it in action, the results spoke for themselves — not just in findings, but in how quickly his team could act on them.

“The number one thing that surprised me was how many problems still existed that I thought we had solved a while ago. It was like a slap to the face,” explains Meis.

But evidently it was a good slap, as Michael describes it as the epitome of a smart technology investment; something that serves as a force multiplier, empowering teams to do more. “If it’s not enabling your team to do more than they were doing yesterday, what’s the point?”

Managing Cyber & Business Continuity Risks Without Tradeoff

To succeed in a constantly evolving threat landscape, healthcare delivery organizations must find a way to align their Security and Operations prerogatives.

As demonstrated by the University of Kansas Health System, this can be achieved by shifting from reactive to proactive security measures, embracing automation, and fostering a culture of accountability.

Watch the full interview for real-life examples of dilemmas faced by UKHS and how Michael and his team built a system of accountability, embracing continuous improvement, and focusing on processes and mechanisms that scale.

We also dive into the importance of posture management, process automation, and error elimination in developing a program of complementary risk minimization and business continuity without consuming undue resources or worse risking disruption. 

Stream the session to learn:

• How healthcare IT leaders define and navigate “acceptable risk”
• The hidden dangers of cyber risks accumulating over time
• Why inaction can be just as dangerous as making the wrong move
• How HIT teams can move beyond visibility to accountability and proactively clean up misconfigurations
• The role of configuration posture management and process automation in risk reduction
• Practical lessons from UKHS’s journey with GYTPOL and how it became an integral part of their cybersecurity strategy
• Predictions for the future of cybersecurity

The success achieved by the University of Kansas Health System is enviable, but it's also entirely replicable; especially since Michael's been kind enough to give you a cheat sheet. So what are you waiting for?