How vCISOs Collaborate to Defend Against Ransomware

When healthcare organizations lack the budget to hire an in-house CISO or have difficulty finding cybersecurity talent for their organization, they can look outside the organization for help.

With skills gaps and cybersecurity staffing shortages making it hard to hire a CISO, healthcare organizations can consider hiring a virtual CISO, an external partner who can develop, manage and carry out a health system’s cybersecurity strategy. A vCISO can address a health system’s technology and business goals, and can provide an independent perspective on how to mitigate threats such as ransomware attacks. After a health system uses a vCISO on a temporary basis, it may decide to hire the cybersecurity professional full time.

Daniel Sergile, consulting director for Unit 42 at Palo Alto Networks, defines a vCISO as “a cybersecurity adviser who can help companies with their security program, and what that looks like is defined by the customer.”

Click the banner to get the expertise you need to strengthen your ransomware protection capability.

A vCISO usually works offsite, away from the rest of an organization, notes Jason Kemmerer, solution architect at Forcepoint.

“A virtual CISO is an executive who is responsible for the oversight of an organization's security initiatives related to its data, technology and people,” Kemmerer says. “The difference being that the executive is primarily remote and may not be located in the same city as the organization’s headquarters or remote campuses.”

Hiring a vCISO is a good choice if an organization spans several regions and cannot find a cybersecurity professional who meets the organization’s needs in the health system’s geographic area. It’s also a way to find healthcare-specific cybersecurity experience, Kemmerer says.

A vCISO collaborates with an internal security team at a health system to develop a comprehensive cybersecurity strategy that involves “setting goals, defining priorities and aligning security efforts with business objectives,” Kemmerer says.

In addition, vCISOs also handle risk management and assessment, compliance and skill development. A key aspect of the vCISO’s role involves incident response planning, Kemmerer says.

A vCISO should “develop an effective response plan and ensure it’s regularly reviewed and tested to ensure readiness for a security incident,” Kemmerer says.

Sometimes an organization that has just launched will begin with a vCISO, and then regulatory requirements will lead them to hire an internal CISO, according to Sergile.

How Can Health IT Teams Benefit from a vCISO?

For healthcare customers, Sergile acts as an internal CISO to run security programs, manage staff and make key decisions. During his first two weeks at one engagement, the organization suffered a data breach, he recalls.

“I basically had to hit the ground running, and within those first two weeks, I stood in front of a panel of cybersecurity insurance providers and explained what our plans were for the next six months,” Sergile says. “And even after having a big breach, they were still able to get cyber insurance.”

During this experience, Sergile helped the organization with its cybersecurity strategies based on HIPAA requirements as well as security and privacy controls published by the National Institute of Standards and Technology in NIST SP 800-53. He identified where the organization had gaps and helped it fine-tune its security plan.

A vCISO in healthcare often steps in when a security leader leaves or when the healthcare system needs help in recovering from a breach. In fact, a healthcare organization may decide to furlough the security leader after a data breach and hire a vCISO, Sergile says.

“If there is a time where somebody leaves an organization, that’s kind of a big deal for most healthcare organizations, because that oversight is required under HIPAA, and you want something to bridge that gap and provide continuity,” Sergile says.

What Healthcare Organizations Need to Know About Hiring a vCISO

If a healthcare organization is considering hiring a vCISO, they should prioritize experts with healthcare-specific expertise. That includes knowledge of HIPAA, The General Data Protection Regulation and other regulatory frameworks, Kemmerer says. Evaluate if the potential vCISO has practical knowledge, problem-solving skills and roadmap planning experience that can work for a healthcare organization.

When working with an internal team at a healthcare organization, a vCISO should seek insight from clinicians on what their concerns are when it comes to cybersecurity and what security training updates they have received, Kemmerer says.

“Ask clinicians to share their experiences and challenges relevant to this training to educate the organization on effective materials to meet their specific needs,” Kemmerer says. “This collaboration approach ensures clinicians are prepared to protect patient data and report potential security events swiftly and effectively.”

When hiring a vCISO, organizations should look for candidates with technical knowledge as well as expertise in governance, risk and compliance, Sergile suggests.

READ MORE: How can healthcare organizations grow with smarter backup strategies?

Fostering Collaboration Between Internal Security Teams and a vCISO

Hiring a remote leader such as a vCISO also requires consideration of whether the individual fits the healthcare organization’s culture, Kemmerer says.

“How would this individual impact existing organizational culture and work experience in a virtual capacity?” Kemmerer asks. “How can this person enhance collaboration and alignment?”

Healthcare organizations should ensure that internal security teams and a vCISO are in sync on overall business and security strategies to set up the vCISO for success in making the right decisions, Kemmerer suggests.

“Share relevant threat intelligence, incident reports and security alerts with the vCISO for consistently accurate risk assessments,” Kemmerer adds.

The needs of healthcare systems will vary, and organizations will have to consider their individual requirements when hiring a vCISO, says Sergile.

“Not all vCISOs are the same, and not all companies are the same,” Sergile says. “You have to do your due diligence to understand what capabilities they can bring to bear.”