The Complete Healthcare Industry Cybersecurity Checklist

complete healthcare industry cyber checklist
Date: October 13, 2022

Summary of Key Points

  • The healthcare industry is a prime target by cybercriminals due to the sensitive nature, and value, of the data
  • Creating a cybersecurity checklist and reviewing it regularly will help prevent many common breaches and ensure you stay up to date on changes in the threat environment
  • Our cybersecurity checklist for 2022 has 16 items for your organization to review

The healthcare industry continues to lag behind on cybersecurity, even as it is increasingly targeted by cybercriminals. Why is that, and what can you do to better protect your organization as we enter into 2023?

This article outlines the risks that the healthcare industry faces, alongside a 16-point checklist that will help keep your organization secure. If you need assistance, ask us about our managed cybersecurity services.

An employee confirming their computer is secure

The True Cost of Healthcare Cybersecurity Breaches

When most of us think of organizations being hacked or breached, we think of sensitive data being leaked, causing profits to plummet, or vital documents being held hostage until a ransom is paid. However, when it comes to the healthcare industry, often the true cost of an attack is much more than just money.

A breach may:

  • Impact access to patient data, including medical records
  • Negatively influence productivity
  • Cause immediate and lasting reputational harm
  • Result in sensitive information, including patient data, becoming accessible to bad actors
  • Have a tangible impact on the health and wellbeing of patients
  • Have direct financial costs, including the cost to remediate the breach and any fines that may have been incurred

One famous healthcare-focused cyberattack, the 2019 ransomware attack on the Grey’s Harbor Community Hospital and Harbor Medical Group, forced the hospital and the medical group’s clinics to revert to paper medical records. Though most records were recovered, it still isn’t clear if some medical records were permanently lost.

A breach can also damage the relationship between the patient and their healthcare team, as many patients may avoid seeking medical help if they are worried cybercriminals or other unauthorized users may access their private medical information.

Taking Action to Protect Your Systems

Whether you already have a cybersecurity plan in place or you are looking to implement one for the first time, it is important to get it right. This checklist will provide you with an important starting point that will help to ensure your healthcare facility’s network and data are protected.

Remember, cybersecurity is not something that you do once you are “done”. It requires constant vigilance. Going through this checklist regularly will help to ensure that your data is protected today and long into the future.

A computer displaying health data

1. Separate IT Strategy from Cybersecurity Strategy

Companies generally set up a cybersecurity department to be within the overall IT department. While this may seem to make sense at first, it can actually lead to a variety of different vulnerabilities. When cybersecurity is part of IT, the cybersecurity concerns become just one consideration of many when making decisions.

Setting up a cybersecurity department that is completely separate from the rest of the IT department makes it easier to create and enforce standards that will keep systems protected.

2. Transition Away from Centralized Security Policies

While centralized security policies are much easier to create and manage, they are generally not as secure because they often use a ‘one size fits all’ approach to many security threats.

Transitioning to a strategy that creates cybersecurity policies and manages permissions based on the specific needs of individuals or departments is more effective.

3. Harness Encrypted Email and Messaging Tools

All of your communication tools should be fully encrypted from end to end, including emails, text, and instant messaging. This is important in all industries, but especially so in a healthcare setting given the sensitive nature of patient information.

See also: managed endpoint protection services.

4. Restrict Access to the Network to Approved Devices

Modern healthcare facilities typically have doctors, nurses, and administrators creating and accessing digital records. Choosing specific devices from trusted vendors is an important step toward ensuring that only devices that meet your security requirements are able to connect to the network. This can make it much easier for your security team to monitor for vulnerabilities, implement patches, and maintain a secure environment.

See also: staying secure in a BYOD world.

5. Provide Cybersecurity Training to All Employees

While a cybersecurity team is going to be primarily responsible for keeping your network and data safe, everyone who is able to connect to your network has a role to play in keeping your data safe.

Providing all employees with cybersecurity training that is appropriate for their role will help them to make informed decisions that can help to keep your systems safe.

6. Employ a Zero Trust Strategy

Using a zero-trust strategy for your network communication can help to reduce vulnerability points significantly. There are a variety of different steps that can be involved in a zero trust policy. Some examples include requiring network authentication to take place with all communication, preventing employees from saving passwords, and using proper certificates on all network environments.

7. Backup Data to Secured Locations

Backing up your data is essential. At a minimum, you should make sure that the backed-up data is fully encrypted to prevent unauthorized access. For highly sensitive or critical data, using cold storage or offline drives is often recommended.

Keeping the backup devices physically separated from the rest of the network will prevent them from getting infected by ransomware or other issues should the rest of the systems be breached.

A person updating their device to confirm it is secure

8. Keep Devices Updated

Your IT team should have a strategy in place for making sure that all devices that connect to the network have been updated to the latest approved versions. This includes keeping the operating systems updated as well as all applications that are being used.

Outdated software represents a significant security risk.

9. Enable Auto-Lock Features on All Devices

Implement a policy that will enable the auto-lock feature on all devices that connect to the network. Set the amount of time before a device locks to the lowest level that will still allow employees to work efficiently.

This is an important policy in healthcare facilities because there are non-employees who are regularly in the area and you want to make sure that they cannot simply pick up a device and access your network.

10. Perform Regular Updates to Antivirus and Anti-Malware Software

All antivirus and anti-malware programs should be kept up to date with the latest information so that they can detect issues as early as possible.

11. Ensure Data is Properly Wiped or Destroyed When Devices Reach End of Life

Any device that is broken or reaches its end of life should go through a full data elimination process that not just deletes the information, but fully overwrites it so that it cannot be recovered. For even greater security, have the storage drives on these devices physically destroyed before the equipment can be sold, donated, or recycled.

12. Perform Annual Cybersecurity Assessments

This will ensure your team is up to date on environmental or technological changes that may influence your cybersecurity posture.

13. Conduct Third Party Security Testing

Hiring third-party cybersecurity companies to audit your system can give you an outside perspective and help you to discover vulnerabilities. These companies can also perform penetration testing to attempt to reveal any risks to your systems.

14. Require Secure Connections from Outside Your Network

If you have any employees who need to connect to your systems from outside your network, make sure that a trusted connection is established first. This can be done through an approved VPN that will properly encrypt all the data that is transmitted and received.

15. Use a Strong Authentication Strategy

A good authentication strategy starts with an effective username and password policy. Require that your users employ an effective password that follows industry best practices. In addition, implementing a one-time passcode or other two-factor authentication requirement will reduce the risk of people gaining unauthorized access to your network.

16. Use Permissions to Limit Access to Sensitive Data

The healthcare industry relies on highly sensitive data to help patients get the care that they need. This data is also very valuable to hackers and other bad actors. Segmenting data effectively and limiting access to each piece of data to only those who have a need for it will help to keep information safe. If you have any other questions about cybersecurity in the healthcare industry, contact us.

Post Categories