How HIT Leaders Balance Cyber & Business Continuity Risks

In today’s fast-evolving healthcare threat landscape, it's more important than ever to intelligently navigate the intersection of IT and business continuity risks. Healthcare organizations must minimize the cyber risks to the organization, working to secure critical assets and sensitive data. At the same time, they must work diligently to ensure nothing ever comes in the way of their ability to deliver care — with business continuity and uptime being entirely non-negotiable. The show must always go on.

So what happens when improving cybersecurity means pushing changes that require downtime or that could interfere with the existing system design? It's a question that's all too familiar to the IT, Security, and Operations teams within healthcare delivery organizations. And unfortunately, there's normally not a very good answer.

A Complex Balancing Act

In Health Information Technology (HIT), effective risk management ensures that sensitive information is protected from cyberattacks and breaches while also ensuring compliance with regulatory frameworks like HIPAA.

Operational excellence in HIT involves optimizing processes, improving efficiencies, and delivering continuous, undisrupted, quality services. It's all about business continuity. And managing both cyber risks and business continuity risks is vital. In practice however, they're often pursued at each other's expense.

We'll be exploring this topic in our upcoming webinar, Risk Management & Operational Excellence in Healthcare IT. The fundamental question we're looking to answer is this: can the seesaw effect be avoided?

In order to improve your standing in one of these pursuits, does the other need to decline?

To answer that question, we'll be joined by HIT leader and University of Kansas Health System CISO, Michael Meis. Michael will share how he balances the need for cyber-minded change with the need to keep things constantly going.

He'll delve into the concept of "acceptable risk", how it's defined, and how he's navigated the grey areas throughout his career — sometimes wisely and sometimes unwisely.

Of course, it can be something of a moving target.

When IT changes can lead to outright downtime or downstream disruptions, erring on the side of caution usually means inaction. Over time, however, those acceptable cyber risks accumulate and become less acceptable. Similarly, what might be deemed an acceptable risk when the cost of the fix is too high or its reliability too low, suddenly becomes unacceptable when those things change. 

HDOs must determine what level of risk they are willing to take on. And they must continually assess where they stand in relation to that determination — understanding that technical debt compounds over time and that unresolved security gaps lay out the welcome mat for bad actors to attack.

Managing Cyber & Business Continuity Risks Without Tradeoff

The webinar will include real-life examples of dilemmas faced by the University of Kansas Health System (UKHS) and how Michael and his team managed them. The guiding strategy: building a system of accountability, embracing continuous improvement, and focusing on processes and mechanisms that scale.

The conversation will touch on the importance of configuration posture management, process automation, and error elimination in developing a program of complementary cyber and business continuity risk minimization. By adopting proactive security measures and leveraging automation, UKHS was able to strengthen their defenses without consuming undue resources or worse — risking disruption. Now Michael wants to help others do the same.

Tune in for his expert insights and to learn:

• How healthcare IT leaders define and navigate “acceptable risk”
• The hidden dangers of cyber risks accumulating over time
• Why inaction can be just as dangerous as making the wrong move
• How HIT teams can move beyond visibility to accountability and proactively clean up misconfigurations
• The role of configuration posture management and process automation in risk reduction
• Practical lessons from UKHS’s journey with GYTPOL and how it became an integral part of their cybersecurity strategy

Success Worth Replicating

To succeed in a constantly evolving threat landscape, healthcare delivery organization must find a way to align their Security and Operations prerogatives.

As demonstrated by the University of Kansas Health System, this can be achieved by shifting from reactive to proactive security measures, embracing automation, and fostering a culture of accountability.

To learn more about how such a program can be put into practice, join us on March 24^th for what's sure to be a lively conversation. Don’t miss this opportunity to learn how leading healthcare organizations are tackling these challenges head-on.