Despite the availability of established security frameworks such as the NIST Cybersecurity Framework and others, healthcare organizations still struggle to implement them effectively, often not fully understanding the requirements or failing to integrate them into their overall cybersecurity strategy, said Keith Forrester of security firm Optiv.
“It’s all about risk management. You’ve got to be able to assess your environment and determine the risks that are out there, determine the risks that are out there, and then develop goals and best practices based on your business,” he said.
Yet many healthcare sector organizations still lag in doing that thoroughly and enterprisewide, he said, despite years of recommendations by regulators and cybersecurity experts to make risk management a top priority.
“Organizations often have all the tools and all the processes there, but they are lacking at times in fully implementing the tools correctly and properly,” he said.
For example, “oftentimes we are seeing that breaches are occurring, and organizations are doing analysis of the breach and discovering…
