Security Experts:

Seeking a Risk Intelligence Model for Long-Term Cyber Resiliency? Look to Healthcare.

My sister is a PHD and an RN who’s spent a 20-year career in healthcare, but she doesn't give shots or dress wounds. Even though she’s spent considerable time assisting in many heart transplants and trauma surgeries, her day-to-day duties over the last decade or so involve things like data modeling, collection, standardization, analysis and reporting. In fact, the work she’s spent most of her career pursuing doesn't really seem like a typical healthcare job at all.

Most often, you can find her running very small teams of data scientists and tech-savvy healthcare professionals on something called a Patient Safety Organization, or PSO.

PSOs, much like similar entities in the manufacturing and other industry sectors, were brought into being as healthcare organizations saw the critical need to have more control over a huge volume of negative, often avoidable and regrettably mostly fatal events. These PSOs grew from a recognition of the need to study what bad things happen (and how and to whom) over time in order to help prevent them and to make healthcare a safer place overall.

Helathcare Cybersecurity ModelsWhat does this actually mean, you may ask? Think about it for even a moment and it becomes clear pretty fast, actually.  

Healthcare is a dangerous endeavor. Not only do patients come into the hospital or clinic or doctor’s office with ailments, they can often leave with new ones.

Or, worse yet, they’re admitted, but never check out.

Medical procedures go horribly wrong, medicines are given in error and in erroneous dosages, monitoring and breathing equipment fails and patients can trip and fall over wheelchairs or on wet floors.

Even worse than accidents, many of the most prominent hospitals in the nation struggle with what has been called an epidemic of multi-resistant bacteria outbreaks that cause infections in otherwise healthy patient populations after they get to the hospital. There’s even a rarely-heard, special word coined just for this type of thing: nosocomial.

That refers to bad things that originate from the hospital.

That’s where PSOs come in. They provide risk intelligence. Just as in real-life battles against a difficult and sophisticated foe, PSOs are the vital strategy component that drives successful, focused tactics to make everyday healthcare safer.

As pointed out on Wikipedia, PSOs:

1. Collect data on the prevalence and individual details of errors.

2. Analyze sources of error by root cause analysis.

3. Propose and disseminate methods for error prevention.

4. Design and conduct pilot projects to study safety initiatives, including monitoring of results.

5. Raise awareness and inform the public, health professionals, providers, purchasers and employers.

6. Conduct fundraising and provide funding for research and safety projects

7. Advocate for regulatory and legislative changes.

More than just implementing tactical changes to each and every treatment or procedure, PSO organizations help individual organizations and the healthcare industry as a whole develop long-term resiliency against harm by collecting and analyzing incidents that occur each and every day across a wide variety of healthcare functions and engagements.

In other words, healthcare organizations - steeped in scientific approaches to almost everything - realized that, to mitigate risk and make their whole environment safer for patients, it requires a diligent, permanent approach to knowing what risks exist, how they occur, what effects they have and what happens as a result.

You’d be surprised how powerful this kind of data is over time and what it makes possible for organizational safety.

In short, the key is that it takes tactics and strategy to fully mitigate risks over a long period. The evaluated data of a solid strategic approach informs and guides in ways ephemeral tactics cannot. The most critical cures in our day and age have not come about overnight, instead they have arisen over years of studying the problem and problem space.

Data diligence; It’s simply a key part of good science.

Without long-term, strategic commitment to collecting, tracking, analyzing and evaluating data, it’s impossible to develop really effective long-term mitigation strategies that help doctors, nurses, hospitals, device and drug makers, as well as patients actually be safer over the long haul.

So, you may be asking how does this all relate to cybersecurity? The answer is again simpler than you think.

In today’s cyber defense world for almost all businesses, there is almost no commitment at the institutional or organizational level to a permanent, managed and scientific cybersecurity strategy component based on long-term commitment to data collection and analysis.

Sadly, today, cyber is dominated almost solely by tactics. Cyber defense has become all lever-pulling and button-pushing at an operator level. It’s the never-ending cycle of react, retreat, get hit again.

Can you imagine surgeons taking this approach? Not studying the data and historical information when trying to improve or innovate on existing tactics when something has gone wrong more than once? It’s like saying, “well, that last one didn't work, let’s try it again and see what happens! We can’t live in past!” That kind of approach is all tactics, no strategy.

The same goes for businesses.

Tactical defenses are critical, vital even to cyber defense, but would you bet on the success of any business that didn't have leadership control, strategy and planning based on solid data diligence

It’s possible to win some battles this way, but the bigger war will be always be lost. Again, just as with healthcare, data-driven strategy drives effective tactics.

Yet most businesses today (including healthcare) cannot say with any certainty how the cybersecurity tools or people they acquire and use align with their specific cyber problems. They can’t say what cybercrime affects them most, least or the most over the last two quarters. Or over the last year? They can’t say what specific threats are trending up that match their own product or IT baseline dependencies? What has lead to the most customer impact? The most web downtime? What has required the most dollars spent patching products? What kinds of patches cost the most? The least?

Most businesses today can’t say whether they’re focusing (i.e. spending) enough or too little in any given area.

Worst of all, nearly no business can say where they expect the highest near-term impact to come from against their operations/finances/legal budget/products/customers/partners. That would seem to be a valuable set of answers, would it not?

All of these questions and much, much more can be answered by establishing permanent, data-driven strategy development functions within the organization. What’s more? Just as with the PSO departments my sister runs, these kinds of organizations within a bigger enterprise tend to be small staffs that cost relatively little for what is a payoff for the entire organization over its full lifetime.

Sounds like ROI to me.

view counter
Jason Polancich founder and Chief Architect at SurfWatch Labs. He is a serial entrepreneur focused on solving complex internet security and cyber-defense problems. Prior to founding SurfWatch Labs, Mr. Polancich co-founded Novii Design which was sold to Six3 Systems in 2010. In addition to completing numerous professional engineering and certification programs through the National Cryptologic School, Polancich is a graduate of the University of Alabama, with degrees in English, Political Science and Russian. He is a distinguished graduate of the Defense Language Institute (Arabic) and has completed foreign study programs through Boston University in St. Petersburg, Russia.