Addressing Security Exposures
So what can hospitals and other healthcare providers do to protect their systems and data from these threats? Firm Guardian offers the following tips:
Trust but verify. IT teams that support business operations need to be challenged (albeit in a productive way). It’s important to determine what assessments and standards are being used to verify controls and to measure risk. But it’s not enough to look at assessments and standards. Accountability is the proof point. Assessments are only as valuable as the steps you take after performing them to correct the issues.
Create effective plans and policies (then test them). To remain secure, businesses need to put in place security plans and policies that minimize the risk of a security breach and effectively deal with the aftermath if a breach should occur. And those plans and policies need to be tested to verify that they work well. Security plans and policies should include:
Backup and disaster recovery plans. If a breach or disaster occurs in a hospital or other healthcare institution, it's vital that patient records and other data be quickly recoverable from a backup so as not to endanger lives.
Mobile device policy. The use of mobile devices in business is increasing dramatically, and as it does, so too do security exposures related to the use of those devices. It’s important that an organization have an effective and tested security policy in place for the use of mobile devices.
Security awareness policy. A good security program needs to include training policies that educate personnel about security policies and plans, and heightens their security awareness. An important facet of security awareness training are simulations that mimic malicious social engineering approaches such as phishing and spear phishing designed to trick employees into divulging sensitive information.
Information security policy. The heart of a mature security posture is an information security policy that protects vital data from unauthorized access, maintains integrity of critical business data, and is free from disruption. The policy should not only protect data from hackers and cyber criminals, but also protect against inadvertent data exposures from insiders.
Automate operating system and software updates. Keeping operating systems and software up to date is an important protection against security breaches. WannaCry ransomware attacks like the one targeting Britain’s NHS typically affect computers that do not have the latest security patches installed. In addition, operating system and software updates may introduce vulnerabilities due to bugs. Because patches that correct these vulnerabilities often follow the updates, it’s important to apply the patches as soon as possible. An automated patching cadence that frequently applies patches can protect against these vulnerabilities. Firm Guardian recommends at least a monthly patching cadence.
Create a defense in depth. A strong defense against cybersecurity threats can be created by implementing a solution that implements a mix of proactive and reactive technologies. One such approach is endpoint detection and response (EDR), which continuously monitors and rapidly responds to cybersecurity threats. However an EDR solution can be overly complex, producing large amounts of data and alerts. In addition, many EDR solutions rely on artificial intelligence that sometimes misses capturing key information. A better approach recommended by Firm Guardian is managed EDR, which combines 24/7 threat monitoring, incident response, and alert filtering. Managed EDR provides deeper investigation, analysis, and validation of threats than EDR through a combination of advanced analytics, threat intelligence, forensic data collection, and human expertise.
Incremental changes can make all the difference. There are some basic steps that should be taken on the road to healthcare cybersecurity. The following steps have nothing to do with technology, but everything to do with establishing a an effective environment to combat cybersecurity threats:
Get a working knowledge to understand risk. Learn what and where the security exposures are in the organization and its systems and networks. Ask questions and get answers from the people in the organization that have the expertise to properly identify and assess risk. Trust the experts.
Hold IT teams accountable without getting into technical babble. IT has a critical responsibility in cybersecurity, one that entails accountability. So establishing a culture of accountability, where IT takes ownership and accountability for the protection of the organization's data, systems, and networks is vital. A key element of that responsibility is reporting security risks, exposures, and responses without resorting to technical babble. Transparency is just as important as technology in protecting against cyber threats.
Establish a security culture. Cybersecurity is a shared responsibility ‒ everyone in a healthcare organization needs to ensure that the organization's security plans and policies are followed. Personnel who are vigilant and motivated to protect patient records and other vital data are the most valuable armor in the defense against cyber security threats.