How to get the cybersecurity funds needed to protect a hospital or health system

Getting the funds to best secure a hospital or health system is not necessarily an easy task – just ask healthcare chief information security officers (CISOs) and chief information officers (CIOs). Yes, the horrible headlines of healthcare security breaches help security and IT leaders make their points to the C-suite and the board, but truly effective cybersecurity requires some serious cash, and that's not always easy to come by in today's healthcare environment. To help IT and security leaders with this vexing challenge, Healthcare IT News sat down with Andrew Howard, CEO of Kudelski Security, to obtain advice on talking with the C-suite and the board about cybersecurity investments, dealing with security and IT staffs that are stretched thin, and more. How do CIOs and CISOs get through to the C-suite and board to convince them to invest in new cybersecurity technologies and monitor new security trends? Security leaders are likely to be asked questions by the board, such as: Far too often, we see security leaders focusing on metrics and details that may initially appear interesting to the board but do not help tell the right story to justify investment. If a security leader can show a standards-based approach, with defined and measurable outcomes that are aligned to the healthcare objectives, the right investment will likely follow. What steps and strategies can health IT and security leaders take to get the money they need? From a security perspective, if a healthcare organization doesn't have a solution that discovers and tracks what assets are in its environment, it can't know holistically what to monitor, protect or patch. However, while an organization cannot build a world-class security program without significant financial resources, they can build a good enough security program with the right focus and limited investment. Security leaders should focus on cybersecurity hygiene before and above all other tasks. While technologies like endpoint detection and response are typically worth the investment regardless of the security program's maturity, most other technologies will fall flat without the right processes around them.