With less than 10 percent of their IT budgets dedicated to information security, healthcare providers are prime targets for ransomware attacks. Unlike cybersecurity breaches in other industries, attacks against small and mid-size healthcare companies have a direct impact on patient care, making combating these threats a high priority. However, smaller healthcare organizations often lack the dedicated resources to improve their security posture by engaging a Chief Information Security Officer (CISO). To support and protect these companies, a new kind of cybersecurity expert is growing in demand: the virtual CISO.
Virtual CISOs, or vCISOs, provide on-demand security insights in a fractional delivery model, meaning that the contract length and services are flexible and can be customized to fit a company’s budget and needs. vCISOs are established cybersecurity leaders who offer not only comprehensive technical skillsets, but business acumen, and have experience developing strategy and company culture. Engagements with vCISOs are typically long-term, rather than project-oriented, making them an appealing option for organizations that are constantly navigating cybersecurity challenges and changing compliance and data security practices.
As well as engaging an experienced security expert, healthcare organizations are often attracted to vCISO services because of cost and resource savings. For example, vCISOs are estimated to cost between 30-40 percent of a full-time CISO, and they can move into the role without the need for training. “Nowadays, a lot of these organizations’ cybersecurity teams are very short-staffed and have limited time to manage the many security challenges their organizations are facing,” said Randy Norris from Atlantic Data Security. “A vCISO can help ensure that the limited funding they have is used with the right focus and priority, whether by providing a roadmap for cybersecurity gap closure, or by helping to prepare for an upcoming audit or certification.” vCISOs also bring with them a network of contacts and industry partners. For example, vCISOs at Atlantic Data Security work with partner vendors like Fortinet, that provide services that help evaluate risk and inform cybersecurity strategy.
While mid-size healthcare organizations are typically considered the main audience for vCISOs, organizations of any size can benefit from their services. Organizations that are moving their operations to the cloud can employ a vCISO to support the move and develop a cybersecurity strategy to reduce security risk and use the new environment to its full potential. Other transitional phases can be good scenarios for which to consider a vCISO, as they can assist in consolidating systems and strategies in a merger or acquisition or fill the gap between two full-time CISOs.
Another reason a company might engage a vCISO is to ensure compliance with industry and federal requirements, such as HIPAA. Meeting federal standards for patient information security is essential for not only continuing operations, but also maintaining customers’ trust. vCISOs can help healthcare organizations to not only protect sensitive information from compromise, but to develop response plans if a leak does occur. “The ultimate goal is to stop attacks before they happen,” said Troy Ament, Field CISO, Healthcare, from Fortinet, “but hackers are creating new malware and viruses and identifying new vulnerabilities as quickly as we are working to locate and eliminate them. It’s important to be able to demonstrate that you are both maintaining robust security to detect and neutralize threats and that there are measures in place for anything that manages to slip through the cracks.”
Maintaining a robust security posture with limited resources at a time when targeted attacks against healthcare organizations are on the rise might seem like an overwhelming task. However, with the skills of a vCISO available, small and mid-size healthcare companies can easily find a trusted partner to accomplish myriad tasks from ensuring compliance to attack prevention, to delivering on a digital transformation strategy.