Cybersecurity is an international challenge. Cybersecurity threats are on the rise. Bad actors, including those that are nation-sponsored, focus on vulnerable targets and critical infrastructures. Healthcare has become a favorite target. The news media has been flooded by reports that the Change Healthcare cyberattack is having ‘far-reaching’ effects on providers, a dramatic example of the clinical and financial impacts of bad actors.
Complicating matters for IT professionals is aging infrastructure – particularly those that require updates to meet cybersecurity and operational challenges. Many healthcare IT shops responded to the pandemic in heroic ways, prioritizing critical care, often delaying technology upgrades. Many provider organizations were forced to focus on priorities driven by tyranny of the urgent.
Each month StarBridge Advisors conducts an all-hands meeting via videoconferencing to stay connected and talk about current issues and challenges. Generally, there are 2 presentations on relevant topics of interest. The topics for a recent meeting were “Technology Debt” led by Rick Pollack and “HHS’ New Cyber Performance Goals” led by Will Long, both luminaries in healthcare IT who have made significant contributions to the field at the national level. Common themes emerged during the discussion with this group of highly experienced advisors all of whom have had very deep and broad roles as IT leaders. Themes common to cybersecurity and technology debt are:
-
- Awareness and understanding of the existing challenges and their potential impacts
- Money to mitigate the risks associated with the challenges
- Highly skilled IT professionals to make and execute plans to address the near, middle, and long-term challenges
- Risk assessments and ongoing risk management plans
- Benefits analyses to make the business cases
- Executive support
- Disciplined deployment to transition from current to future state
- Governance to ensure the challenges are prioritized against all the other competing initiatives and needs
- Education, training, and change management with strong easily understood communications to explain, monitor, and ensure that the plans have the desired outcomes
Given the importance of technology debt, it’s worth your time to read Rich Pollack’s recent blog that offers more pragmatic recommendations on how to manage, and hopefully, avoid technology debt.
Regardless of size, location, or services offered, all providers face the same or similar cybersecurity challenges. Organizations with money and size have the advantage. So, what can we do about those organizations, particularly rural and other small facilities – e.g., physician offices, ambulatory care settings, home care and hospice providers – that have neither the money nor the needed skillsets to address the threats?
To address the long-term and societal problems, I propose that cybersecurity should be treated as a utility given its essential role in modern society, similar to other utilities like water, electricity, and gas. The reasons include but are not limited to:
-
- Cybersecurity is essential for protecting other critical sectors such as finance and the aforementioned utilities from malicious attacks that could have devastating consequences.
- In an interconnected world, a cybersecurity breach in one area can have cascading effects across the entire network. Treating cybersecurity as a utility acknowledges its pervasive role in securing these digital interconnections.
- Cybersecurity is critical to public safety, and national security. All entities in all sectors require reliable and secure communications.
- Consumerism is increasingly digital and depends upon all participants – sellers and buyers – conducting business and living their lives with confidence in the supporting infrastructures.
- All individuals and entities, regardless of their size or resources, would benefit from equitable, better, yet equal, access to consistent and standardized cybersecurity measures.
- A centralized approach would allow more comprehensive information sharing and allow cybersecurity experts to monitor and coordinate more dynamic responses to emerging challenges more quickly and effectively.
- A utility with regulatory oversight may be the most pragmatic and practical approach to enforce cybersecurity standards.
- A system for funding based on need may allow those under-resourced businesses to achieve the same protections that only well-resourced businesses have today.
Framing cybersecurity as a utility emphasizes its critical role in maintaining the functionality, security, and resilience of our interconnected world. This perspective advocates for a comprehensive, standardized, and regulated approach to cybersecurity to ensure the well-being of individuals, businesses, and nations in the digital age.
Perhaps it’s time to consider creation of a private-public partnership (PPP) that as a guiding principle will adapt to evolving cybersecurity threats and technologies embracing adaptability and continuous improvement. Part of the charter for the PPP would be to determine who to help, how and when to help, how to distribute resources, and how to fund the efforts. It is imperative such a utility helps organizations of all sizes with an early focus on bringing those organizations that are under-resourced into compliance with best and what is sure to become evolving practices.
There are already many groups that are working independently, yet I’m not sure that funding for the under-resourced is getting the attention it requires. Funding mechanisms for the cybersecurity utility could involve a combination of public funding, private investments, and potentially user fees. That is for leaders of the utility to determine by working with a wide range of stakeholders. Funding the utility is just to get the plan up and running. It is essential to identify means to find a practical, pragmatic, and sustainable approach to funding not just for the utility but for all the constituencies who make up the 16 critical infrastructures as defined by the Cybersecurity & Infrastructure Security Agency.
I recommend that the National Institute of Standards and Technology( NIST) lead the overall efforts using the Health Sector Cybersecurity Coordination Center (HC3), an effective PPP, as a model for working with the 15 other critical infrastructures. NIST’s Cybersecurity Framework (CSF) 2.0 doesn’t address funding, nor does it mention the establishment of a utility. The newest HC3 plan addresses the “existence of funding” as a measure of success twice but funding as a goal is not mentioned. Future planning efforts for both should address funding mechanisms for all.
Healthcare participants share a common goal which depends upon cybersecurity. Patients and families in all communities deserve and must have equal safeguards to ensure their care, privacy, security, and the sacred trust they put in the providers are protected. Surely, leaders of the other sectors feel the same way about the constituents they serve. Let’s plan for a cybersecurity utility and execute now.