The threat of cybercrime can be felt most strongly where its impact is most acute. Although threats are very real to all industries including critical infrastructure, government, financial services and others, healthcare has the biggest target on its back today.
These threats have been steadily rising for many years, and last year was no exception.
If saving lives and caring for the sick aren’t already steep enough responsibilities for healthcare professionals, today the sophisticated world of cybercrime has thrust the healthcare industry, and the professionals that work in it, into the crosshairs.
Healthcare, like the global workforce at large, has moved to a mobile device-oriented workplace. This means, for example, that on-the-go nurses with devices in hand, potentially containing sensitive HIPAA-regulated data are subject to all the cyber risks that apply to those devices. Plus, the risks today go well beyond safeguarding patient data to involve cyber threats to medical devices like pacemakers that people need to live.
What can healthcare organizations do to improve this escalating situation? Here are 10 future-proof cybersecurity tips for your healthcare organization.
1. Help the C-suite understand: Appoint a CISO or data protection officer to be responsible for data security and ensuring data security is a regular topic by the board—a key differentiator in reducing security gaps.
2. Educate staff: Train them on the importance of data security to mitigate the insider threat. Have a well-communicated policy on how and when to report lost devices or suspicious texts or emails and enforceable repercussions for infractions.
3. Conduct regular compliance reviews: The General Data Protection Regulation lays out stringent data protection requirements, as does HIPAA and HITRUST. Be proactive in identifying and rectifying issues.
4. Formalize breach notification process: Include both detection and response capabilities and consider purchasing special insurance. Under GDPR requirements, organizations must report a data breach within 72 hours.
5. Rehearse your data breach plans: Make sure your organization can report on the consequences of a breach in a timely manner.
6. Automate detection and response capabilities: Security solutions should be automated to detect and contain threats with minimal human input or intervention.
7. Add resiliency to security solutions: How can you ensure that your current security controls cannot be tampered with by malicious or insider activity? Activate a layer of adaptive defense against threats, reducing the mean time to detection and remediation, by implementing technology that keeps you in complete command with a self-healing, two-way connection to any endpoint or application—even if they are off the network.
8. Protect legacy technology: The reality of limited budgets in healthcare means that many legacy systems remain unsupported and that could place the entire network at risk. Isolating these systems or building protections around legacy systems can serve as a temporary safeguard until systems can be modernized.
9. Maintain endpoint visibility: Ensure firmware and software can be updated against vulnerabilities and alerts can be issued if a device goes missing, misses an update or shows signs of tampering.
10. Review all contracts: Healthcare organizations today are large and complex systems, with many smaller entry points through partner systems or vendors. Security standards must be reviewed regularly and a process put in place to promptly report data breaches by all partners and vendors. Organizations should make sure that they have the contractual rights to insist on security standards for vendors.
We trust that we’ll receive the best care possible from our doctors, but we’ve only just begun to feel the impact of cybersecurity threats on patient care.
For an industry that understands the concept of preventative care, the same concept applies in the cybersecurity world. Keeping these tips in mind is important to counter risks with strategies and tactics that keep systems and assets in a state of wellness, and to minimize the severity and duration of illness and the security incident impact when issues do occur.
Josh Mayfield is the director of security strategy at Absolute.