Executive Summary
Inspira provided a cost-effective Virtual Chief Information Security Officer (vCISO) service for this healthcare organization. As part of the service, we did a comprehensive cybersecurity assessment to evaluate their risk posture. We also provided concrete recommendations to help them address an number of challenges to include vendor management, a product consolidation strategy, and a multi-year roadmap to draw down costs and increase team efficiency and effectiveness.
About the Client
This well-known U.S.-based healthcare organization provides a wide range of healthcare services in multiple specialty areas. It is known for delivering personalized and holistic care and for always focusing on what’s best for each individual patient. The organization has been honored with several accolades that have cemented its position as one of the most trusted and highest-ranked healthcare organizations in the US.
Business Challenges
This healthcare organization uses multiple digital systems and technologies to manage patient data, deliver care, and improve patient outcomes and as Healthcare being the highest targeted industry in terms of cybercrime, significant focus is there to protect and defend this critical data. Cyber events could result in the loss or corruption of patient data, not to mention a financial and reputational impact to the organization making it harder for providers to help patients. In some cases, an attack or breach could result in system downtime, which can also interrupt care delivery, affect patients’ wellbeing, and even endanger lives.
The risk of a costly breach or attack is high for this organization due to these risk factors:
- • An ever-expanding data estate consisting of vast quantities of patient data, including personally identifiable information (PII), electronic health records (EHRs), and financial data
- • Malicious outsiders or insiders perpetrating data theft for financial gain or other malicious purposes
- • Open vulnerabilities in legacy digital systems and outdated/unpatched software
- • Poor cybersecurity hygiene among staff, leading to unsafe practices, such as using weak passwords, sharing sensitive information via email, etc.
- • Complexity of toll selection & networks of vendors that are hard to manage and secure from threat actors
Another key challenge for the organization was the operational burden on technical staff. These workers were struggling to keep up and be proactive, resulting in costly mistakes that can increase the risk of attack. Many were also suffering from burnout, which severely affected the organization’s ability to retain key staff and led to staggering year-on-year attrition rates.
Inspira’s solution: vCISO service with comprehensive cybersecurity assessment + advisory
The organization’s senior leadership are aware of the cybersecurity challenges facing the organization. However, they needed to better understand the current reality, and determine ways to mitigate risk. Here’s where Inspira’s cybersecurity experts stepped in.
We provided a two-part solution to help the organization identify its security weaknesses and strengthen its security posture:
Part 1: vCISO cybersecurity assessment
Inspira provided a cost-effective vCISO solution. The service is ideal for this client since they were looking for an outside view point to identify and mitigate security risks, comply with industry regulations and standards, and implement best practices to protect against cyber threats.
Our security professionals did a comprehensive assessment of the client’s technical and data stack. In just 30 days, we helped them by:
- • Evaluated risk posture and identified specific gaps that were priority
- • Assessed the vendor and third-party network and identified the associated security risks of stitching together disparate solutions.
- • Identified the risks of using a wide range of cyber tools that were not created with one another in mind, don’t share threats and in some cases were made not to work well together.
- • Surfaced several vulnerabilities in data systems, legacy systems, and software that could increase the likelihood of a cyberattack or data breach
- • Identified people-related process blind spots that posed significant risk.
Part 2: vCISO advisory
Following the assessment, our vCISO service providers helped this client to mitigate many of their security risks by:
- • Recommending that they reduce the size of their vendor network: We recommended that they work with a trusted group of 3-4 vendors only, while implementing appropriate service level agreements (SLAs)
- • Suggesting that they restructure vendor contracts
- • Rationalize the organization’s digital and cybersecurity budgets and surfacing unnecessary and duplicative expenses.
- • Training staff on important cybersecurity best practices: Our security awareness programs helped reduce some cybersecurity risks, strengthened the security posture, and improved the security culture
- • A high focus on documentation and policies to create a common cybersecurity “language”, improve resource skills, and enhance coordination between internal teams
In addition to the above solutions, our security professionals also worked closely with their technical team to understand the key management and operational issues around the tech stack. We then identified which tools in the stack operated in silos (access management, endpoint solutions, DLP, etc.) and brought them all under one Microsoft platform. Such integration and consolidation helped to simplify management, improve integrity, and reduce the burden on technical staff.
Benefits
- • Created a 2 year roadmap for Identity access management, Data loss prevention and foundational aspects for cyber PMO and GRC
- • Saved almost $5 million in the first year and forecast to save $19.75 million over 3 years in cybersecurity and digital expenses
- • Optimized the vendor network to reduce third-party risks
Overall, our vCISO assessment and advisory solutions enabled this healthcare organization to close many security loopholes and strengthen their defenses. They are also more aware of the risks facing the industry and better-prepared for the evolving security landscape.
