You can do everything right—sufficiently configure network routers, firewalls and switches; deploy timely patch updates; deliver training and awareness to employees; adopt automated tools and technologies to monitor anomalies, reduce human errors, and better manage end-points devices. And yet healthcare entities and the businesses that support them still remain at risk for cyberattacks. It’s all about cyber-hygiene…
In fact, more than 93% of healthcare organizations reported at least one security breach in the last three years.
How did we arrive at this juncture? Partly, healthcare digitization has always been a risk. But it also in part resulted from the shelter-in-place mandates that began soon after the COVID-19 pandemic hit. At that time, work-from-home (WFH) demands from non-frontline employees even as restrictions eased, putting healthcare organizations continuously at risk for exposure.
So, how safe are we now that we’re adjusting to WFH realities?
In short, it depends. While this may sound bleak, there are actionable steps that organizations can take to enable a more cyber-ready and resilient program. Specifically, organizations can start by practicing basic cyber hygiene – from healthcare payers and providers, to vendors and third-party administrators. By implementing fundamental controls organizations can better safeguard assets, protect their brand reputation and enhance consumer trust.
So, what does good, basic healthcare cybersecurity hygiene look like?
It consists of fundamental policies, processes and business practices that apply basic “blocking-and-tackling” tools and techniques using a cybersecurity framework or a blend of frameworks. Cybersecurity is also defined and operationalized to ensure risks are identified, controls are implemented and compliance can be demonstrated through due diligence practices.
Below are eight questions healthcare organizations should be asking—today—about their basic cybersecurity hygiene practices to build and strengthen resilient programs, improve governance, manage risk and enhance compliance through operational efficiencies:
1. How are we enabling secure access to our network? By VPN or Virtual Desktop Infrastructure (VDI) workstations? How well is it working?
Consideration: Strong authentication is paramount. You need to understand if there is consistency throughout the enterprise for how employees—and third-party vendors—who access your corporate network.
2. How deep is our insight into our network infrastructure and to our information systems and applications?
Consideration: Your system administrators should be able to see ideally, endpoints at all times. You should be able to remotely prevent malware attacks and automatically manage software deployment and patching.
3. Is remote access limited to network sections that enable our employees to complete their tasks?
Consideration: Every employer has data with varying degrees of value and sensitivity, such as personal data, financial information, intellectual capital and corporate confidential information.
4. What security tools do we have in place that enable the monitoring of security practices by remote employees and third parties?
Consideration: Your ability to ensure that employees are adhering to the internal policies and procedures for remote work and telecommuting is critical. Monitoring tools enable insights into which applications are being used, by whom and how much time is actually spent on projects.
5. What is our process for cross-checking data access privileges and controls implemented to access information? What is our level of confidence that access to our data is on a Need-to-Know basis and is working well?
Consideration: Establish, monitor and/or enforce the limitation of Data Access for Nonessential Purposes.
93% of healthcare organizations reported at least one security breach in the last three years.RETARUS
6. How prepared/trained are our employees to recognize and handle phishing attacks (vishing, spear phishing, etc.)?
Consideration: Phishing attacks rose by 600% in the past year. Recipients open emails and/or review attachments within those emails infecting their systems or are taken to websites asking for their credentials.
7. What steps are we taking for application security? And what steps do we take to prevent employees from downloading non-compliant applications to their laptops and/or corporate-issued devices?
Consideration: Establish policy and IT security process to pre-approve (pop-up or dialogue box indicating system administration approval required) for all new application or downloaded software.
8. What is our process for cross-checking data access privileges and controls implemented to access information? What is our confidence level that access to data on a need-to-know basis and alignment to our data classification practices (e.g., confidential, restricted, proprietary) is working well?
Consideration: Establish, monitor and/or enforce the limitation of Data Access for Nonessential Purposes. Ensure processes are in place (automated, if possible) to swiftly identify and revoke access to programs and files when employees leave the company, finish a project or move on to a different position.
For example, in one engagement with a healthcare client, we found they were at great risk to IT and cyberattacks. In our discussions with their CEO and COO, we expressed to them that healthcare organizations face evolving cyber threats that put their patients’ information and health at risk. That is why it is important for C-suite and senior-level leaders to see cybersecurity as their responsibility (first line of defense) and not just something that the IT, Compliance and Internal Audit (second and third lines of defense) should worry about.
We were able to share with them how their cybersecurity gaps could affect patient safety and enterprise security.
Following our meeting, IT and cybersecurity became a strategic priority versus a tactical exercise. They were able to see how the controls not only protect patient privacy and safety but also guarantee the continuity of effective delivery of top-quality care. In addition, cybersecurity mitigates information disruptions that could literally become a matter of life and death.
Included in the clients mitigation efforts, they were able to understand if their facilities do not keep patient records private, they could face huge fines under HIPAA’s privacy and security rules, along with risk to their reputation and cause irreparable damage to their patients.
The client is still remediating their risks, but showing appropriate due diligence and recognizing that cyber-attacks, like ransomware, could lead to a healthcare organization losing access to medical records or losing the ability to access lifesaving care. The hackers gain an ability to access private data, stealing it to intentionally or accidentally alter the data. This can lead to serious and life-threatening patient outcomes. However, with the right IT and cybersecurity planning, these risks can be mitigated.
With HIPAA and other regulatory requirements we know healthcare providers face even greater cyber security risks than other sectors, especially given the severe penalties for non-compliance. From our experience, it’s all about cyber-hygiene.
The best time for payers, providers and life sciences companies to begin is now.