Governance & Risk Management , Risk Assessments
CISO Cris Ewell on Overcoming Risk Management Challenges
Video Interview on Conducting a Meaningful Risk AssessmentDespite the emphasis that HIPAA places on the value of a comprehensive risk assessment, far too many healthcare organizations are still struggling to complete one, says Cris Ewell, CISO at University of Washington Medicine.
See Also: A CISO's Guide to Communicating Risk
HIPAA settlements reached after breach investigations have again and again highlighted the lack of risk assessments and stressed their value, he points out. "It's more than doing just point assessments of applications and systems," Ewell says. "It's understanding the threats and risks within your entire enterprise. And if you have multiple hospitals, it's doing assessments on entire hospitals, all the way from administrative, physical and technical controls."
Organizations that lack a thorough risk assessment will continue to find it difficult to build a defense against cyber threats, the CISO says. "The start ... is understanding your entire asset base - the people who use it, the things that you have, the data that's there," Ewell says. "Once you understand [those assets] and the risk related to that, then start reaching out further to understand what the adversaries are doing - the threat vectors that are used, the attack vectors that are used," he says. "But you have to start with the basic analysis of the assets you have."
A Lot of Work
Many organizations fail to conduct a comprehensive analysis, Ewell contends, "because it's a lot of work to do. Understanding the entire enterprise scope sometimes overwhelms a staff of one, two or three individuals. Then there's the understanding of what a risk management program looks like. That's difficult."
A risk assessment, he stresses, helps organizations with limited resources to "focus on the things that really make the most difference, [rather] than trying to fix everything. It can help you focus on the right things to do for your organization."
In this video interview at Information Security Media Group's recent Healthcare Security Summit in New York, Ewell also discusses:
- The importance of reaching out to local organizations and tapping other resources to help improve an entity's risk management program;
- The threats and risks posed by medical devices and the internet of things;
- His organization's top cybersecurity priorities for 2017.
Ewell, PhD, is CISO at University of Washington Medicine, which includes four medical centers, neighborhood clinics, physician practices and UW School of Medicine. Previously, Ewell was CISO of Seattle Children's Hospital. Before that, he served as the director of information security operations at the University of Washington, chief security officer for PEMCO Corp. and chief technology officer for Breakwater Security.