The biggest challenge in education is separating myth from reality. This is particularly difficult when the myth becomes embedded in a cultural norm. Regulatory compliance as the benchmark for cyber resiliency is such a myth. It is the default setting and the perceived norm. Yet, it ignores the fact that even the most inexperienced regulators view regulatory compliance as the minimum standard necessary not to be shut down. It is not an operating standard.
In the aftermath of the 2008 global financial crisis most financial institutions were in regulatory compliance. Yet the financial industry, like many other industries meeting regulatory compliance standards continued to ignore regulators’ warnings concerning risky behavior. In the cyber security arena, regulatory compliance does not protect against sophisticated and mounting cyber security threats, the critical shortage of competent personnel to meet these threats or the inability of single institutions to adequately respond to those threats. The regulators’ warnings regarding the risks associated with vulnerabilities inherent in open architecture environments have been ignored despite growing reports of hackers who have successfully accessed institutional IT platforms and data via internet-connected “household items” such as refrigerators and microwaves.
A Case Study in Healthcare
I. The Problem
A prime example of the failure of regulatory compliance to effectively protect a client’s interests is reflected by the health care industry–with its array of internet-connected devices, medical equipment and machines. Health care institutions are finding that compliance with regulatory standards does not address the myriad ways in which their IT platforms expose not simply patient data but put patient care at high risk. Yet suggestions by health care regulators that institutions monitor its devices, share costs in order to build cyber resilient environments, and migrate to cloud services to increase risk protection are disregarded by health care institutions focused on allocating resources towards fulfilling their mission of saving lives:
- academic and research freedoms combined with mission urgency have created and sustained an open architecture model for the use and onboarding of technology – making it difficult to anticipate and limit the vectors of assault;
- institutions do not recognize and understand the risks associated with internet-connected devices and equipment beyond the familiar computer hardware and mobile devices;
- vendor access to service and maintain equipment and devices leaves the institution subject to vendor cyber vulnerabilities that in turn provide a vehicle into institutional IT platforms;
- health care administrators and personnel view their mission as saving lives and that mission should not be compromised by rules that do not directly advance the urgencies of the moment;
- IT departments responsible for cyber security are cost centers with no real incentive or institutional mandate to create binding efforts between solutions and financing or binding efforts between technology and behavior; and,
- a dwindling supply of money and governmental support to initiate innovation and vision, hire skilled multi-disciplinary personnel and to recognize protection not just of data but of the equipment and devices used to provide patient care as a core function of a health system’s mission.
II. The Solution
The first step in the solution is to recognize the, immediate above, realities of the operating environment. The next is to understand that the IT and cyber security problem cannot be solved without first solving the economic problem and solving the economic problem has several parts:
- competitive pricing in leasing rather than purchasing major technology devices;
- reducing personnel costs by moving portions of the infrastructure to cloud based solutions;
- creating unique financing programs to share the costs associated with major purchases;
- collection and monetizing the data within the health systems; and,
- establishing working relationships with “all” of the health system’s constituents and stake holders.
Silicon Mountains’ goal is to provide state of the art cyber security protection while significantly reducing IT infrastructure costs while simultaneously creating new revenue streams to further reduce costs. We achieve this through showing clients a different way of doing business.