Summary of Key Points
- The healthcare industry is a prime target by cybercriminals due to the sensitive nature, and value, of the data
- Creating a cybersecurity checklist and reviewing it regularly will help prevent many common breaches and ensure you stay up to date on changes in the threat environment
- Our cybersecurity checklist for 2022 has 16 items for your organization to review
The healthcare industry continues to lag behind on cybersecurity, even as it is increasingly targeted by cybercriminals. Why is that, and what can you do to better protect your organization as we enter into 2023?
This article outlines the risks that the healthcare industry faces, alongside a 16-point checklist that will help keep your organization secure. If you need assistance, ask us about our managed cybersecurity services.
The True Cost of Healthcare Cybersecurity Breaches
When most of us think of organizations being hacked or breached, we think of sensitive data being leaked, causing profits to plummet, or vital documents being held hostage until a ransom is paid. However, when it comes to the healthcare industry, often the true cost of an attack is much more than just money.
A breach may:
- Impact access to patient data, including medical records
- Negatively influence productivity
- Cause immediate and lasting reputational harm
- Result in sensitive information, including patient data, becoming accessible to bad actors
- Have a tangible impact on the health and wellbeing of patients
- Have direct financial costs, including the cost to remediate the breach and any fines that may have been incurred
One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.
A breach can also damage the relationship between the patient and their healthcare team, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information.
Taking Action to Protect Your Systems
Whether you already have a cybersecurity plan in place or you are looking to implement one for the first time, it is important to get it right. This checklist will provide you with an important starting point that will help to ensure your healthcare facility’s network and data are protected.
Remember, cybersecurity is not something that you do once you are “done”. It requires constant vigilance. Going through this checklist regularly will help to ensure that your data is protected today and long into the future.
1. Separate IT Strategy from Cybersecurity Strategy
Companies generally set up a cybersecurity department to be within the overall IT department. While this may seem to make sense at first, it can actually lead to a variety of different vulnerabilities. When cybersecurity is part of IT, the cybersecurity concerns become just one consideration of many when making decisions.
Setting up a cybersecurity department that is completely separate from the rest of the IT department makes it easier to create and enforce standards that will keep systems protected.
2. Transition Away from Centralized Security Policies
While centralized security policies are much easier to create and manage, they are generally not as secure because they often use a ‘one size fits all’ approach to many security threats.
Transitioning to a strategy that creates cybersecurity policies and manages permissions based on the specific needs of individuals or departments is more effective.
3. Harness Encrypted Email and Messaging Tools
All of your communication tools should be fully encrypted from end to end, including emails, text, and instant messaging. This is important in all industries, but especially so in a healthcare setting given the sensitive nature of patient information.
See also: managed endpoint protection services.
4. Restrict Access to the Network to Approved Devices
Modern healthcare facilities typically have doctors, nurses, and administrators creating and accessing digital records. Choosing specific devices from trusted vendors is an important step toward ensuring that only devices that meet your security requirements are able to connect to the network. This can make it much easier for your security team to monitor for vulnerabilities, implement patches, and maintain a secure environment.
See also: staying secure in a BYOD world.
5. Provide Cybersecurity Training to All Employees
While a cybersecurity team is going to be primarily responsible for keeping your network and data safe, everyone who is able to connect to your network has a role to play in keeping your data safe.
Providing all employees with cybersecurity training that is appropriate for their role will help them to make informed decisions that can help to keep your systems safe.
6. Employ a Zero Trust Strategy
Using a zero-trust strategy for your network communication can help to reduce vulnerability points significantly. There are a variety of different steps that can be involved in a zero trust policy. Some examples include requiring network authentication to take place with all communication, preventing employees from saving passwords, and using proper certificates on all network environments.
7. Backup Data to Secured Locations
Backing up your data is essential. At a minimum, you should make sure that the backed-up data is fully encrypted to prevent unauthorized access. For highly sensitive or critical data, using cold storage or offline drives is often recommended.
Keeping the backup devices physically separated from the rest of the network will prevent them from getting infected by ransomware or other issues should the rest of the systems be breached.
8. Keep Devices Updated
Your IT team should have a strategy in place for making sure that all devices that connect to the network have been updated to the latest approved versions. This includes keeping the operating systems updated as well as all applications that are being used.
Outdated software represents a significant security risk.
9. Enable Auto-Lock Features on All Devices
Implement a policy that will enable the auto-lock feature on all devices that connect to the network. Set the amount of time before a device locks to the lowest level that will still allow employees to work efficiently.
This is an important policy in healthcare facilities because there are non-employees who are regularly in the area and you want to make sure that they cannot simply pick up a device and access your network.
10. Perform Regular Updates to Antivirus and Anti-Malware Software
All antivirus and anti-malware programs should be kept up to date with the latest information so that they can detect issues as early as possible.
11. Ensure Data is Properly Wiped or Destroyed When Devices Reach End of Life
Any device that is broken or reaches its end of life should go through a full data elimination process that not just deletes the information, but fully overwrites it so that it cannot be recovered. For even greater security, have the storage drives on these devices physically destroyed before the equipment can be sold, donated, or recycled.
12. Perform Annual Cybersecurity Assessments
This will ensure your team is up to date on environmental or technological changes that may influence your cybersecurity posture.
13. Conduct Third Party Security Testing
Hiring third-party cybersecurity companies to audit your system can give you an outside perspective and help you to discover vulnerabilities. These companies can also perform penetration testing to attempt to reveal any risks to your systems.
14. Require Secure Connections from Outside Your Network
If you have any employees who need to connect to your systems from outside your network, make sure that a trusted connection is established first. This can be done through an approved VPN that will properly encrypt all the data that is transmitted and received.
15. Use a Strong Authentication Strategy
A good authentication strategy starts with an effective username and password policy. Require that your users employ an effective password that follows industry best practices. In addition, implementing a one-time passcode or other two-factor authentication requirement will reduce the risk of people gaining unauthorized access to your network.
16. Use Permissions to Limit Access to Sensitive Data
The healthcare industry relies on highly sensitive data to help patients get the care that they need. This data is also very valuable to hackers and other bad actors. Segmenting data effectively and limiting access to each piece of data to only those who have a need for it will help to keep information safe. If you have any other questions about cybersecurity in the healthcare industry, contact us.