Measuring CTEM Success
Under CTEM, healthcare organizations adopt metrics that reflect an organization’s resilience rather than just the number of patches applied, according to Liat Hayun, senior vice president of product management at Tenable.
“In the highly regulated healthcare landscape, these metrics serve as a bridge between technical security and HIPAA compliance,” Hayun says.
Metrics include key performance indicators and regulatory compliance tracking, in which KPIs measure risk reduction and operational performance, she explains. It also includes tracking remediation-level service-level agreements as well as peer benchmarking, which compares exposure scores and KPIs against those of peer organizations.
“Evaluation criteria for healthcare include support for legacy systems, security-certified medical device monitoring and the ability to ensure business continuity during remediation,” Hayun says.
Measurable risk reduction is a key aspect of CTEM performance metrics, according to Rodriguez.
“Ultimately, CTEM success is measured by a sustained decrease in prioritized risk and improved ability to prevent incidents that could impact patient care or sensitive data,” he says.
Metrics include reduction in critical threat–relevant exposures, time to remediate high-risk issues and a drop in overall risk score, Rodriguez says.
READ MORE: Quantify cyber risk to justify strategic cybersecurity investments.
Why Healthcare Needs CTEM: The Evolving Threat Landscape
“By unifying visibility across complex environments, including legacy systems and connected medical devices, security teams can prevent downtime, secure sensitive patient health information and innovate without introducing unnecessary risk,” Hayun says.
Healthcare could benefit from CTEM because it is the most targeted sector for cyberattacks, and patient data generates a high monetary value, Hayun notes. In addition, operational continuity is necessary, and health systems cannot afford downtime. Healthcare also has a vast attack surface that includes telehealth, remote patient monitoring, cloud-based health records and widespread connected medical devices, she says.
In healthcare, CTEM shifts the focus away from “check the box” vulnerability assessments and remediation to focus on safeguarding the most critical data and systems to protect patient and hospital safety, Hayun says.
Healthcare organizations need a CTEM framework because of the visibility and control challenges of IoT devices, Rodriguez says.
Building a Healthcare CTEM Program
CTEM implementation must be a continuous implementation process rather than a “set-it-and-forget-it, point-in-time process,” Hayun explains. That includes routinely testing security controls and updating exposure management processes as necessary.
“Exposure management is an operational journey that enables security teams in healthcare organizations to build a proactive defense program that protects their most critical assets, even as the digital landscape evolves,” she says.
