Security is vital to the healthcare industry. Thirteen percent of CIOs, CTOs and CSOs reported being targeted by external threat attempts almost once a day, and 12 percent reported about two or more attacks per week. Furthermore, 16 percent of healthcare organizations admitted they are unable to detect in real time if their systems are compromised.
Only half of providers today believe they are adequately prepared for a cyber attack.
Security is to healthcare as the immune system is to the human body. Without proper security hygiene, organizations are more susceptible to contracting Trojans and computer virus outbreaks. They also become a breeding ground for employee ignorance, which can lead to criminal infiltration.
One response to the state of the healthcare system’s immune system is the highly criticized Cybersecurity Information Sharing Act of 2015 (CISA). This act aims to reduce cyber attacks on the healthcare industry by encouraging organizations to share information related to malicious hacker attempts, outcomes, and methods used. The idea is to learn from the misfortunes of others to safeguard from similar future attacks.
In essence, the healthcare sector is in the process of constructing a virtual network for information sharing, like the central nervous system and its delivery of messages from the brain to various parts of the body. But unlike the central nervous system, this virtual network lacks universal guidance. It has no nationally recognized and supported framework or accrediting body to standardize how the network, including concrete construction elements, is built.
Legislators are recognizing how dire the need is for greater security in the healthcare sector, but some people fear that government agencies will be able to use information shared by companies to spy. Others feel this act creates more opportunity for data to be intercepted by cybercriminals. Furthermore, the Act doesn’t address problems such as outdated software, unencrypted filing, and malware, which are among the true reasons why healthcare hygiene is in such poor condition.
A doctor can only do so much to help a patient get better; in the end, it’s up to the patient to adopt a healthier lifestyle. The same can be said of the healthcare industry and its outlook on security. Healthcare organizations must do their part to increase defense. Consider these five ways to ensure good healthcare security hygiene.
1. Take Stock
Hospitals improve care by using technologies like wearables, applications, the Internet of Things, robots and more, which means data is spread across multiple devices. Organizations must have a clear understanding of where all data exists (both at rest and in transit) and furthermore, a better grip on the volumes of applications deployed. Healthcare organizations can’t begin to protect themselves properly if they don’t have a detailed overview of everything they own and use. Data is no longer tied to a computer. Taking stock will aid in the construction of an information security roadmap that will guide the process of creating improved security policies.
2. Adopt a Zero Trust Security Model
Too many healthcare organizations are victimized by data breaches that could have been prevented by the most basic security measures. To prevent joining this wall of shame, healthcare organizations should adopt a zero trust security model. This includes scrutinizing all permissions, accesses, identity management, and policies. Healthcare organizations should no longer tolerate assumptions about user accounts or the intentions of others. Just one mistake could result in data catastrophe.
3. Workshop Attack Responses
If your organization doesn’t know what a security threat looks like, how will it be able to identify when one strikes? IT leaders and departments should workshop their response to a security threat to ensure, if the time comes, that they know exactly what they’re dealing with and how best to respond. Workshops should include analyzing case studies regarding healthcare attacks to determine what caused the attack, how the victim could have responded better, and what damages resulted.
4. Implement Two-Factor Authentication
InformationWeek shared a survey finding that 88 percent of respondents store their work passwords in an insecure location, and 54 percent use the same passwords for work as they do for personal accesses. In line with the zero trust security model, healthcare organizations cannot trust that employees are being responsible with their use of passwords. For this reason, organizations should implement a two-factor authentication process.
A two-factor authentication process is an extra layer of security that requires a username, password, and one other factor that only the user has access to, such as a piece of information or a physical token. By implementing this additional security measure, organizations can better control intentional and unintentional access to systems and applications.
5. Go Beyond the Latest Security Technology
Investing in and continually updating security technologies is imperative to the hygiene of your healthcare security, but organizations must look beyond protective tools and actually understand the core principles involved in safeguarding data, including:
- Knowing what systems are in need of defense
- Taking inventory of those systems
- Knowing what software is and is not allowed to run in the organization
- Understanding how systems need to be configured
At the end of the day, healthcare security hygiene depends on an organization’s ability to shift its entire cultural focus to one that is security-centric. The act of protecting data does not rest solely on the shoulders of the CSO or the IT department. It’s an endeavor that must be shared by all users who access and utilize the confidential data. Like personal hygiene, healthcare security hygiene is also not a one-time behavior. Consistency and diligence are key to maintaining a healthier, more secure environment.
About the Author
Greg Miller is a Principal at Schellman. Greg leads the HITRUST service line. Greg has more than 20 years of combined audit experience in both public accounting and private industry.More Content by Greg Miller