We’ve talked a lot in the past about the important criteria for choosing security partners, but never from the unique perspective of healthcare. And, given the need for many healthcare organizations to combat growing ransomware, often with limited budgets, we felt now would be a good time to dig into this important topic from an industry perspective.
For small and mid-sized healthcare organizations, protecting patient and partner data, and valuable research from cybercrime is essential. But for many, it feels nearly unattainable. Constantly bombarded by attacks that are becoming ever-more sophisticated, and playing catch up around cybersecurity for other industries, it’s safe to say that many clinics and practitioners need help.
But from where? With something so critical to the safety of your organization, what are the top things one needs to look at when choosing cybersecurity vendors and partners?
For an easy-to-use checklist to help you evaluate any cybersecurity vendors you’re considering, check out our Cybersecurity Vendor Evaluation Package. Meanwhile, read on as we try to break down four of the key considerations that every healthcare provider should pay close attention to when picking a cyber-security partner to work with.
You probably wouldn’t buy a new car sight unseen. A Proof of Concept (POC) is similarly your chance to kick the tires of the security service or technology you’re thinking of implementing.
Have the vendor you’re considering test their tools live in your environment and see it in action. Only then can you have a real sense of how their solution or service will improve your security posture. In security terms, a few acronyms exist to describe this; POC, BAS (Breach Attack Simulation), or BSAD (Breach Simulation and Attack Detection); ActZero calls ours a Readiness Assessment, and we’ve developed one that takes into account the nuances of defending healthcare (more on that later!)
Internally, a POC may be an essential component in getting greater buy-in from across the organization. And, given that healthcare organizations significantly lag behind many other industries in cybersecurity investment, this is even more crucial.
A POC also confirms that the vendor is listening to you and has familiarized themselves with the needs of your organization. If the vendor or service provider isn’t willing to conduct testing and show how their technology works in your live environment, that may be telling evidence as to how willing they will be to tailor their solution to the specifics of your environment, as well as a clue as to how well it will run on your network without disruption.
Before engaging, you should ask how long it will take to roll out the final technology solution across your environment. Time is of the essence in cybersecurity, especially around detection and response.
Today, it takes many healthcare organizations tremendously longer to contain a breach than other industries (On average 1,037 days versus 69 days in general, according to research by the Ponemon Institute). During that time, hackers can continue to run rampant through the environment, stealing sensitive data and causing disruptions.
Your vendor should be able to provide turnaround times for deployment, as well as when you’ll see value from their solution. At ActZero, our POC (the Ransomware Readiness Assessment) takes four hours, compared with the four to six weeks of many cybersecurity companies. The average ‘dwell time’ — the period of time criminals have access to your infrastructure — our solution yields is only 18 minutes; other solutions we’ve tested during our POC yield more than an hour and a half.
A vendor or supplier should be upfront with delivery timelines and expectations. Beware ones that are vague or non-committal around dates.
- Can they discuss the business case for cybersecurity?
Healthcare organizations are in the business of saving lives and helping patients live better healthier ones. Making the case to business leaders or hospital boards for greater investment in security can be a challenging one.
That might be why money goes to the new MRI machine before it goes to preventing and responding to the disease plaguing the IT environment: ransomware. Still, cybersecurity is a business issue, and with every year and every new and devastating breach in the news, the impact becomes one that the business can’t ignore.
Your cybersecurity partner must be able to speak to the business value of their services, and able to work with you to illustrate them. Why do healthcare organizations — small, medium or large — need to prioritize cybersecurity? (For a more in-depth look at the reasons why, check out our recent eBookon Modern Cybersecurity for Healthcare.)
For organizations without dedicated cybersecurity personnel, like many small and mid-size organizations, ActZero provides an optional virtual CISO (vCISO) to complement our Managed Detection & Response Service, that can address the real business need in terms healthcare leaders understand.
- How do they engage with their customers?
Like the willingness to conduct a POC and provide clear timelines, take a hard look at how the cybersecurity vendor engages with you.
At ActZero we often begin with Healthcare Ransomware Readiness Assessment that demonstrates what to expect working with us. This free assessment provides:
- A scan for compromised credentials on the Dark Web
- A scan for attack intent against your organization, sometimes called ‘mentions’, on the Dark Web
- A ransomware simulation against an endpoint of your choosing
- Interviews and consultations with stakeholders about compliance controls
- A report and review session with leadership
But true engagement is more than a POC or free assessment. How will the vendor work with you (and vice versa) hand-in-hand once the solution is in place?
At ActZero this is through our customer portal, which is a series of dashboards providing the specific details you need on incidents, connections across the environment, vulnerabilities, patches, security hygiene, and more.
When selecting a security partner it’s critical to find one that listens to the organization’s challenges and needs, and is willing to prove the value of their solution upfront. We’re keen to do just that, so we welcome you to put ActZero to the test with our complimentary Healthcare Ransomware Readiness Assessment.
In only a few hours (see, there’s that timeline!), we’ll diagnose exposures in your network, identify existing breaches, and provide you with a prescription to remediate any risks.