Our cybersecurity program is focused on protecting our company’s digital assets putting the safety of the patients that we serve first.
Over the past several years, there has been an exponential rise in the volume of cyber threats as well as the sophistication of those cyber threats, especially as access to sophisticated malware and cybercrime tools have become easily accessible on the internet. An increased dependency on trusted partners to facilitate company business further adds to the complexities and challenges of securing our digital assets.
The core principles, which ground our program, begins with the confidentiality, integrity, and the availability of the data that we create and process. It is our cybersecurity program’s mission to provide appropriate and assured access to information and services by anyone, anywhere, at any time, and on any device. Our comprehensive approach encompasses people, process and technology to mitigate risk.
Governance and strategy
At the management layer, we consolidated information security and cyber resiliency activities across IT under the leadership of the Chief Information Security Officer (CISO). Our CISO reports into the Chief Information & Digital Officer (CI&DO). The CI&DO reports into the Chief Financial Officer (CFO). Both our CI&DO and CFO are members of our Executive Committee.
Our cybersecurity program analyzes the market for innovative ways to continue to drive down the risks associated with cybersecurity trends, such as destructive ransomware incidents, insider risk, and risks to operational technology environments. These innovative ways include leveraging machine learning capabilities, robotic processing automation (RPA) and data analytics that allow for enhanced detection and response capabilities putting us in a better position to defend against the latest cyber threats. As business priorities progress, laws and regulations change, and the cyber threat landscape evolves, we adjust our cybersecurity strategy to continually manage our cyber risk.
Our company is increasingly dependent on sophisticated software applications and complex IT systems to conduct critical business operations. Disruption, degradation or manipulation of these systems through intentional or accidental means could impact key business processes. Software maintenance (e.g., security patches) and secure configurations is part of our program ensuring our IT systems are secure. Our Information Risk Management Policy and supporting functional policies govern our daily operations ensuring that these activities are appropriately managed.
We measure our success through a governance program which evaluates the value of the projects and programs we put in place to manage our cyber risks. We also benchmark against industry peers and leverage third-party subject matter experts to provide input and assess our cybersecurity initiatives.
We are measuring cybersecurity risk reduction in several ways:
- We include cybersecurity in our enterprise risk register ensuring that cybersecurity is tracked as a business imperative
- We engage with several consulting firms who are thought leaders in cybersecurity to work with us in our ongoing efforts to improve our cybersecurity program
- We have adopted the “Building Security in Maturity Model” (BSIMM) to drive maturity of our Application Security program
- We strengthen our digital ecosystem with programs focused on third-party risk and cloud security
- We leverage the NIST Cybersecurity Framework, mapping key programs and controls to industry standards
- We partner with companies who monitor and rate our cyber “health”
Our company has a long history of leveraging cloud services driving innovation, enhanced services and operational excellence across the enterprise. However, as we continue to adopt these new technologies, they present new risks for us to manage especially as threat actors unceasingly try to find new ways to take advantage of these technologies. Our cybersecurity governance program and strategy enable us to manage these risks and as a result we can support the adoption of these new technologies while maintaining our high security standards.
We continue to leverage new and innovative technologies across the enterprise to improve the efficacy and efficiency of business processes; however, the use of these technologies can present new risks. Misuse of these IT systems could result in disclosure of sensitive personal information or theft of trade secrets, intellectual property, or other sensitive business information.
Our cybersecurity analytics program drives enhanced vulnerability and threat detection capabilities allowing us to keep up with today’s advanced threats while shrinking our attack surface and further reducing the likelihood of a cyber disruption.
We expect to continue being a target of cyber events and network disruptions. We continuously monitor our data, information technology and usage of our IT systems to reduce these risks on an ongoing basis for current or potential threats. However, there is no assurance that our efforts to protect our data and IT systems will be successful in preventing disruptions to our operations, including manufacturing, research and sales operations. Any such disruption could result in loss of revenue, or the loss of critical or sensitive information from our company’s or our third-party providers’ databases or IT systems and could also result in financial, legal, business or reputational harm and potentially substantial remediation costs.
Knowing that our company can suffer from an IT outage, whether cybersecurity related or not, our company has a Corporate Crisis Management plan to help manage any type of large-scale business disruption. The plan provides clear direction and guidance on how to respond to a corporate-level crisis. In the event of a major cyber incident, our company has retained the services of a cybersecurity firm to provide digital forensics and incident response support.
Programs and initiatives
Our Cyber Fusion Center runs 24x7x365 with operations in three global hubs. It leverages cutting-edge technology to facilitate rapid and tactical coordination of cyber defense activities in response to current cyber threats. The Cyber Fusion Center is threat detection-focused and intelligence-driven, geared towards anticipating not only today’s cyber threats but enabling early detection capabilities to prepare us for tomorrow’s threats as well. As part of our enterprise resiliency efforts, our Cyber Fusion Center continuously tests our security controls and IT systems to reduce our exposure to these cyber threats.
We engage with multiple external partners in support of our cybersecurity program. We supplement our internal cybersecurity staff with a managed security services provider (MSSP). They provide 24x7x365 monitoring of our IT systems for potential security incidents.
We partner with industry experts to assess our cybersecurity programs and to assist with building new capabilities. Our latest capabilities include Application Security, Cloud Security, and Insider Risk programs.
We also partner with the Health Information Sharing and Analysis Center (H-ISAC) to foster cybersecurity information sharing across the industry. This partnership includes a variety of benefits such as:
- Cyber threat information sharing directly from peer organizations
- Sharing of industry best practices
- Peer groups focusing on industry challenges such as third-party risk, medical device security, etc.
- Fostering a learning environment which encourages innovation and industry standards
This translates into the strengthening of the healthcare ecosystem by fostering a community of trust and information sharing.
As industry experts have reported, there is a shortage of technical cybersecurity talent in the market, more so in the mid-management layer of organizations. Our company augments the cybersecurity team with industry recognized partners who provide additional talent and skills that are hard to come by in order to help manage the risks that this skills shortage presents.
Looking to the future
Moving past the cyber event of June 2017, our company has been laser-focused on maturing our cyber capabilities and making our company more resilient to cyber disruptions. The Enterprise Resiliency (ER) cross-divisional program was part of our journey to ensure the company will stay “healthy” and “heal” quickly in the event of a cyber disruption. As this program concludes we are executing on the next chapter of our cybersecurity strategy which drives innovation into the work that we do.
As part of this strategy, we are focusing on these key areas:
- Our talent
- Cybersecurity capabilities and controls
- Identity and access management
- Endpoint protection
- Network segmentation and boundary defenses
- Data protection
- Cloud security
- Protection of our crown jewel assets and critical infrastructure
- Supplier risk resiliency
- Modernization and a secure user experience
- Automation and orchestration
- Data analytics and data sciences
- Regulatory compliance
- Policy and enforcement