Fall 2023

Beating Burnout in Cybersecurity
By Sese Bennett
For The Record
Vol. 35 No. 4 P. 22

An expert in the field shows you how to prevent burnout and take your team’s approach from reactive to proactive.

In 2022, the US health care industry saw, on average, 1,410 weekly cyberattacks per organization,1 which amounts to an 86% increase compared with the previous year. From a global industry standpoint, health care ranks not far behind education/research and government/military, attacks on which jumped 74% from the previous year.2

As most health care professionals working in health IT (HIT), HIM, and cybersecurity know all too well, the potential impact on an organization’s bottom line is detrimental, but the impact on mental health and burnout is an often-overlooked impact that has far-reaching consequences.

According to industry reports, as told in The Enterprisers Project, the average chief information security officer (CISO) tenure at a respective organization is 18 months.3 Gartner reports that globally only 29.1% of IT workers have high intent to stay with their current employers.4 The once coveted and highly esteemed CISO role has now become a symbol of stress that many in the industry would prefer not to inherit. Those who do choose the role must accept the weight of long hours, limited staff, and a resource deficit that makes even the simplest tasks, much less bigger ones, overwhelming.

As someone who has experienced the many highs and lows of being a CISO in various capacities over the past 30 years, I know firsthand the pressures that today’s workers are feeling. The nationwide pandemic upped the ante of stress and fatigue for CISOs across the country, but the reality is that the lack of resources and strain of burnout have been the norm for far too long.

Step 1: Create a Business Impact Analysis
There are many words that could be used to describe hackers, but unskilled is not one of them. Today’s world of bad actors is ready to pounce when you or your teammates are least aware, and all it takes is one compromised password or phishing email to require a large-scale recovery plan. Health care is especially vulnerable due to the treasure trove of information available for hackers to access, including personally identifiable information and personal health information. Hackers are relentless and will do whatever they can to get to a patient’s information.

It can be hard for CISOs and other security professionals to know the best way to handle the flood of information coming their way, especially when daily headlines feature new attacks at systems large and small across the country. Therefore, conducting a business impact analysis (BIA) helps answer the question: How am I managing personally identifiable information and personal health information protection in my organization without burning out my team?

If you’ve never conducted a BIA, it’s not too late to start. This exercise assesses the consequences of disruption of a business function and process while gathering information needed to develop recovery strategies. Furthermore, it forces you to think about the security risks most pertinent for your direct line of business at your hospital or health system. Rather than bringing in more resources unnecessarily or hitting the point of burnout across your team, take advantage of a BIA to determine how to best prepare for the worst.

Practical Steps
For inspiration,5 the following are examples of questions to consider for your organization’s BIA:

• Key processes. Which processes are necessary to continue the identified critical business function?

• Volume of work. What’s the cost of conducting that work without supportive technology in the event it is compromised?

• Recovery time objectives. Another word often used in the industry is “downtime.” How long will certain business functions be unavailable until the issue or emergency situation is resolved? Be specific here—“X function can continue for X days/weeks/months/etc until the disaster is resolved.”

• Facilities/staff. Where do these functions occur, and who is responsible for performing X, Y, and Z?

Of course, responses will vary based on the system and system size, but BIAs all follow the same standard format to nail down the business functions that are most critical to maintain or restore in an emergency. Other considerations include, but are not limited to, key dependencies, manual “workaround,” computer systems/applications, vital records/data, equipment/supplies, suppliers/vendors, and budget.

Step 2: Prioritize Automation and Security Awareness Training
One of the most common causes of burnout in this line of work is that CISOs and security teams are on the hook to not make mistakes. Since humans are performing these roles, it is illogical to expect perfection. So it’s imperative to prevent factors that would lead to a security event and continue to train employees by adopting a zero-trust security model. Zero-trust allows employees to meet requirements to reduce the number of events from occurring and having a substantial impact. Examples of technology controls that help with this model include tools such as multifactor authentication, single sign-on, and cloud-based application management. If someone logs into your system at 3:00 in the morning, you should authenticate access to make sure it’s really that person and not a bad actor. Secondary security controls can immediately shut down suspicious activity, properly investigate, and confirm that the unusual behavior is approved before allowing it to continue.

Automating as much as possible while funneling actionable events can save your team stress by reducing overwhelming data volumes, producing informed alerts to combat alert fatigue, and more. If you can employ automation as a means of reducing workload and false positives, you will empower your team with a sense of accomplishment.

Is it still important to conduct in-person training and tabletop exercises? Absolutely. These courses work because they provide real-life examples of what could go wrong and force your team to execute a mock plan to remedy the situation. That’s why having a BIA in place to demonstrate the likelihood of a bad occurrence is critical. Whether you’re meeting with your team weekly, monthly, or quarterly, be sure to instill a sense of confidence in your employees through combined manual training and automated methods.

It’s vital to point out that various levels of training are needed for different departments. Administrative teams will not require the same amount of training that a security team will need. Provide opportunities for everyone to get the proper assistance they need.

Step 3: Outsource if Applicable
A common mistake CISOs and senior leaders make is devoting resources to projects or entities that don’t require them. Sometimes more resources aren’t the answer. However, it’s essential to remember that bringing in third-party help when and where needed can be beneficial. Smaller hospitals and health systems, especially, are under immense pressure to make sure they follow requirements. And they’re often burdened with more administrative tasks that take them away from their strategic skillsets.

If this sounds familiar, consider outsourcing certain aspects of your cybersecurity strategy to a third party. Also known as managed services, this is the process of working with a partner who specializes in day-to-day technology operations such as help desk and IT support services, applications maintenance, network, hardware, and cloud management. Following is a summary of short-term and long-term pros and cons to help with the decision-making process.

Short-Term Gains
• Alleviate strain on staff. Managed services allow your internal team to breathe easier by streamlining workflows and allowing employees to focus on tasks that are higher priority. This can help mitigate the ongoing burnout challenges HIT and HIM workers have been experiencing.

• Improve customer service. Improvements in customer service quality are almost an immediate effect of managed services because you have additional staff dedicated solely to the specific task(s). Issues that have long plagued the HIM and HIT teams are resolved in a short time, but the positive sentiment and attitude toward the organization are long lasting.

Long-Term Gains
• Operate more efficiently. Health care organizations have relied on managed services for basic operations functions such as laundry, food, and surgical equipment for many years. Similarly, the management and maintenance of 24/7 IT operations can follow a model that will lead to great results over time.

• Enhance patient experience. Improving patient care doesn’t happen overnight, but it can happen as a direct result of managed services. Data privacy and cybersecurity standards can be maintained as a result of more stable technology and faster issue resolution, leading patients to feel a sense of trust and satisfaction in their health care experience. A recent survey from Beryl Institute revealed that three-quarters (76%) of Americans surveyed said they have not had a positive patient experience in the past three months.6

• Improve reputation. Improving customer service and system reliability not only benefits your organization in the short term but also has a larger impact on your overall reputation as a quality health care provider for the long term. As Warren Buffett once said, “It takes 20 years to build a reputation and five minutes to ruin it. If you think about that, you’ll do things differently.”

• Expand your organization. CISOs often say that they want to be more strategic but don’t have enough time. Outsourcing routine operations to a managed services partner allows you the freedom to take back your time and plan future goals of the organization, complete with brainstorming and working toward the specific action steps that need to be executed.

Cons to Consider With Outsourcing
As with anything, there are cons to consider when it comes to outsourcing responsibilities to a third-party source. These include the following:

• Lack of onsite presence. The pandemic, however, provided reassurance that IT functions could be done effectively in a remote environment, which lessened the need for onsite resources.

• Misaligned objectives. As someone who’s been on both sides of the outsourcing equation, I often remind CISOs to effectively communicate what they need upfront to avoid confusion on the back end. Establishing vision and goals in the early days of a project is much easier than doing it halfway through when something goes awry.

• Scope. Depending on the specialization of IT managed services being offered, certain partners can limit their scope of available IT services. These companies can help in many areas, including the following:

• firewall, intrusion detection system, and intrusion prevention system monitoring and alerting;

• domain name system breach protection and internetwide visibility on and off your network;

• email spam and malware protection, monitoring, and alerting;

• third-party risk assessment (yes, sometimes you need third parties to assess your third parties); and

• a range of other functions and consultation services.

If and when you identify a need to bring in outsourcing help, be sure to vet them just as you would anyone else who’s coming inside your organization. Ask about their background, request references from other organizations they’ve helped, and require them to complete a business associate agreement. These measures will ensure you have the best partner possible in your corner. The last thing you want to do is bring in someone who can weaken or severely expose your organization to risk.

The Best Way to Eat an Elephant
We’ve all heard the old adage, “The best way to eat an elephant is one bite at a time.” The same is true for bolstering your cybersecurity strategy. It’s not a perfect science, and it takes time to implement systems that truly work for your organization’s individual needs. If you set out to fix everything at once, you will lead your team to burnout territory and likely drive yourself crazy in the process. Instead, use your BIA as a guide to determine which threats are most detrimental to the livelihood of your business/staff and what steps you can take to mitigate them. Breaking out risk in terms of low, medium, and high is a good place to start.

From there, you can delve into specific controls using a mix of automation and in-person security awareness training with your staff. Take the zero-trust approach, which establishes extra guardrails in the event that your staff makes a mistake. Finally, don’t be afraid to bring in a third-party vendor to help with the heavy lifting. This is an effective way to reduce pressure on internal staff while gaining expertise and knowledge that otherwise might not have been accessible.

Following are several parting thoughts to guide you on this journey:

• Security is the #1 concern keeping CIOs up at night. According to Foundry’s “The 2023 State of the CIO Study,” which included 837 IT leaders and 201 lines of business participants, CIOs will focus significant time and expertise on security management this year.7 Security improvements are the #1 reason for tech budgets increasing in 2023.

• Technology is critical to the security equation. A recent study by BlueFort Security showed that 47% of CISOs will prioritize digital transformation and cloud migration in 2023.8

• Outsourcing isn’t going away, despite budget cuts. The Global Industry Analytics Report predicts that the global market value for IT Outsourcing is expected to hit $633.6M by 2027.7

— Sese Bennett is a virtual chief information security officer for CereCore Advisory Services. With more than 20 years of experience in a career spanning both public and private sectors, he understands how to balance the business requirements of an organization with the need to effectively reduce risks. Bennett has proven experience in identifying and remediating risk in highly complex environments, and his information security experience includes large Fortune 100 companies in the telecommunications space, health care organizations, governmental agencies, retail, software/hardware developers, manufacturing, and financial services.

 

References
1. Pollack R. Keeping hospitals and patients safe against cyberattacks. American Hospital Association website. https://www.aha.org/news/perspective/2023-02-03-keeping-hospitals-and-patients-safe-against-cyberattacks#:~:text=The%20U.S.%20saw%20a%2057,most%20cyberattacks%20in%20the%20U.S. Published February 3, 2023.

2. Alder S. Global healthcare cyberattacks increased 74% in 2022. The HIPAA Journal website. https://www.hipaajournal.com/global-healthcare-cyberattacks-increased-by-74-in-2022/. Published January 10, 2023.

3. Cunningham JR. CISO: a day in the life. Enterprisers Project website. https://enterprisersproject.com/article/2022/10/ciso-day-life#:~:text=The%20average%20tenure%20of%20a. Published October 13, 2022.

4. Gartner survey finds only 29% of IT workers have high intent to stay with current employer. Gartner website. https://www.gartner.com/en/newsroom/press-releases/2022-03-09-gartner-survey-finds-only-29-percent-of-tech-workers-have-high-intent-to-stay-with-current-employer. Published March 9, 2022.

5. Tools to create a business continuity plan. State of Oregon website. https://www.oregon.gov/das/Procurement/Pages/DPBusCont.aspx

6. Consumer perspectives on patient experience in the U.S. The Beryl Institute website. https://www.theberylinstitute.org/page/PXPULSE_Nov2022. Published November 2022.

7. State of the CIO study 2023. Foundry website. https://foundryco.com/tools-for-marketers/research-state-of-the-cio/. Published January 25, 2023.

8. CISOs’ priorities for the coming year. Help Net Security website. https://www.helpnetsecurity.com/2022/11/30/cisos-cloud-transformation/. Published November 30, 2022.