So far in 2017, the U.S. healthcare industry has been experiencing many cybersecurity-related threats, including one massive ransomware attack. This attack might have negatively impacted patient care at hospitals across the nation had a security researcher not found and pulled the “kill switch.” Ransomware attacks, like WannaCry, are just one of the many types of cybersecurity challenges the healthcare industry continues to face. It will become more and more challenging to safeguard sensitive patient data as bad actors continue to target the healthcare market.
Over the last ten years the healthcare industry has rapidly digitized without significant investment in cybersecurity. The balance between providing real-time data to physicians at the point of care in a minimally disruptive manner, coupled with the charge for interoperability, has left the healthcare market more connected and more vulnerable to attacks.
Most healthcare organizations lack sufficient financial resources, struggle with retaining in-house information security expertise, and don’t have the infrastructure to identify and track threats. Furthermore, they are not equipped to analyze and act based on the information and are likely running unsupported legacy systems that cannot easily be updated.
The best prevention against any cybersecurity attack is to take proactive security measures around people, process and technology. This defensive in-depth strategy will position organizations with a multi-layered, multi-faceted approach that will reduce their surface exposure exponentially.
Well-Trained People: The Most Difficult Thing for Hackers to Get Around
According to a recent survey by “Nuix’s The Black Report: Decoding the Minds of Hackers,” employee education and training is still a primary obstacle to hackers. This “people” factor must be addressed and continually measured to increase the effectiveness of an organization’s cybersecurity program.
Some of the cybersecurity training basics are: educating your employees/users on threats to your organization, safe web browsing practices, the hazards of clicking embedded links or opening attachments in unverified emails, and scrutinizing emails before opening them. Employees are an organizations first line of defense to prevent successful attacks and their training should be a focal-point of any effective cybersecurity program.
In order to take your employees’ education to the next level, you should conduct simulated phishing and social engineering exercises and campaigns. This will give employees “real world” experience in dealing with such attacks. Social engineering is still the most effective way that malicious individuals are able to access sensitive information.
Multi-phased Vulnerability Management Process: Identify and Prevent Cybersecurity Threats
Cybersecurity starts with people, but must be strengthened by processes for backups, incident reports, breach notifications, and disaster recovery. It is critical that organizations develop a multi-phased vulnerability management process that includes vulnerability scanning, risk acceptance, and remediation for security risks.
This process is critical to recognizing the potential impacts of a breach on your organization before one occurs so it is clear what steps your team will take to protect patient data. To often, healthcare organizations only start investing in a cybersecurity program after they have been negatively impacted by an incident. At that point, it may be too late for some patients.
People + Process + Technology
Technology by itself is not the answer to protect an organization from a cybersecurity attack, but combined with dedicated people and a defined process, it completes the cybersecurity prevention trifecta. Technologies such as Security Information and Event Management (SIEM), Data Loss Prevention or Intrusion Prevention Systems (IPS) can be leveraged to identify and even react to a ransomware attack as it is happening. Custom policy and rulesets can be utilized to alert in real time that there is something awry within the operating environment. Additionally, Network Access Control (NAC) platforms could make the isolation of infected devices quicker and easier.
A Solid Cybersecurity Foundation
Organizations must focus on laying a solid cybersecurity foundation, rather than simply chasing the newest technologies. Unfortunately, there is likely no simple fix, as these are very complex and complicated issues that must be prioritized within your organization. The time has come for healthcare leaders to truly understand the current cybersecurity posture of their organization
and remove barriers that may prohibit your organization from executing the fundamentals. Cybersecurity threats at their core are patient safety risks and, frankly, the stakes
are too high. Investing in and promoting an organization-wide, culturally-driven approach to cybersecurity will greatly reduce risk and, most importantly, ensure consistent patient care.
To learn more about the steps you can take to improve your cybersecurity posture and arm your organization against future cyber attacks, read Fortified Health Security’s Mid-Year Horizon Report.
About the Author
Dan L. Dodson is President of Fortified Health Security where he brings over 10 years’ experience in the healthcare and insurance industries — serving as both an operational leader and sales leader. Dan holds an M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.