A Healthcare Company Offers Best Practices for Security Incident Response

Cyber security is truly an exercise in managing daily chaos to prevent a negative impact to the organization. Information security leaders are conductors of a vast orchestra of people, processes and technology that must all play from the same sheet of music. Their job gets more difficult every year as the scope of what needs to be protected grows along with scrutiny from external and internal stakeholders.

A large healthcare organization, with dozens of hospitals and tens of thousands of employees, has cracked the code when it comes to managing an effective cyber security program. They’ve developed a way to automate processes and engage business owners so they can make better decisions and improve safety.

During a case study presentation at Rsam’s annual User Conference this week, the information security leader of the healthcare company provided his insights about successfully managing IT security incidents. His team approached security with this mindset:

  • Activities aren’t as important as outcomes
  • Failures can occur at any time and a breach can happen on any day
  • Small events can quickly explode into large events that carry risk

With that in mind, they set out to create a world-class cyber security program. The organization realized their current homegrown systems couldn’t scale or adapt to meet their future goals. They selected Rsam’s Security Incident Response solution because it gave them the ability to:

  • Integrate data with external systems
  • Tailor workflows
  • Contain costs
  • Demonstrate improvement to stakeholders

The organization’s security leader said the platform lets them address the complexity of their unique workflows. They can deploy and tune the platform as needed because Rsam doesn’t force them down a certain path; rather it provides the flexibility for them to create a path that makes sense to their organization.

Since implementing Rsam, the healthcare organization can more easily manage their complex environment. All threat events and incidents are presented to users with the related control, solution and risk scenario content. Analysis is streamlined allowing them to respond faster. For example, the company has a large set of core security scenarios. Tier 1 analysts get the precedents and escalation criteria for each and they’re presented in a way they can understand. Instead of wasting time escalating up the chain, Tier 1 can solve common issues quickly.

Some best practices shared include:

  • Accept that cyber security is a journey. Goals are reached over years, not months.
  • Make sure stakeholders are involved, bought in and empowered to make decisions that relate to their business.
  • Figure out the natural workflow of the organization and leverage it. Don’t force workflows to business owners; adapt to what’s already working.
  • If you assign an action to a business owner, make sure they actually have the power to take action.
  • Don’t aggregate problems to the point you lose visibility into systemic risk.
  • Decision makers need line of sight down to the tactical level of execution.
  • Leaders need the ability to see where real problems lie, without the need for security analysts to interpret.

Many organizations share common challenges when it comes to security incident response. The issues are real but not insurmountable with the right focus and leadership.