By Jake Kiser
Mid-sized healthcare facilities are facing serious network threats. For instance, an Osterman Research report revealed that the healthcare industry is exceptionally vulnerable to ransomware. The report also revealed that mid-sized organizations are experiencing cyber-attacks as often as large companies. Executives at mid-sized facilities can’t afford to play small with their cybersecurity efforts.
These executives must consider the following security hurdles and best practices to ensure that they are doing everything possible to keep their data and that of their patients safe.
Leaders at medium-sized hospitals must not think that their organizations are too small to be of interest to attackers. Hackers know such facilities often don’t have the same financial and personnel resources for security that enterprises do, making them an easier win for criminals.
Because to err is human, hospitals must train their employees in security best practices, but it’s even better to put a security system in place so that when an employee eventually slips up—because they will—data is still going to be protected.
In smaller facilities, resources are usually thin and employees wear many hats. Some healthcare IT pros have to be both the CISO, responsible for mission-critical data security, and the IT Operations lead, responsible for almost anything IT under the sun. Cybersecurity often gets presented in ways meant for larger organizations, so legitimately useful products and services do not always get adopted.
Making Security Upgrades
The following four best practices will increase data security and help decision-makers focus on solutions that provide the strongest protection.
1. Forget passwords.
Passwords are frustrating to use, remember and change, AND they are insecure. In 2017, weak or re-used passwords were responsible for more than four in five breaches.
2. Find alternative to passwords that won’t frustrate employees more.
Employees frequently complain about having to rely on one-time PINS sent over text, carrying an authentication device dedicated to just one service, or needing to use a personal cell phone.
Convenience must be balanced with security. The FIDO Alliance’s protocols are changing the nature of authentication by using standards to replace passwords. This means that the same protocol can be used across many websites and applications.
3. Seek external expertise.
IT departments at mid-sized healthcare facilities benefit from finding a trusted advisor or partner who knows the security space deeply. The security landscape shifts quickly with new vulnerabilities and new threats. It is difficult or impossible to wade through this morass alone, much less come to fully informed decisions. Look for a security advisor with a good track record of coming alongside their customers with a partnering mindset.
4. Use encryption.
Encryption scrambles data to make it unusable to hackers, so it protects like no other security solution can because even if intruders make it past the firewall, they will find only mounds of jumbled nonsense.
Encryption at the application layer is strongest. Then, IT teams must ensure that only authorized applications may decrypt such data upon authorizing those using FIDO-based strong authentication.
Previously, mid-sized health organizations have found encryption technology too expensive. The market now offers affordable solutions that make enterprise-level encryption available to smaller organizations.
Cybercriminals like low-hanging fruit just as much as other people. They are on the lookout for unsecured data wherever it may be, including mid-sized healthcare facilities. IT decision-makers at these organizations must not consider their data as low-value but instead ensure that the same level of tools and processes are in place as the huge health conglomerates have. Encryption and authentication have become more user-friendly and less costly, making them viable additions to the security toolbox. The best practices noted above will shatter attackers’ assumptions that smaller hospitals mean weaker security.
About the author
Jake Kiser is CEO of StrongKey. He is responsible for the company’s business strategy, overseeing the company’s growth of its open-source cybersecurity solutions and a new product line which brings unprecedented security to small and medium enterprises. He received his master’s degree in business administration from Duke University.