Healthcare organizations worldwide are up against an evolving problem: IT security risk. With a wealth of digitized personal information, these organizations are an enticing target for malicious hackers. And, with so many endpoints in use, it's easy to see how great the danger is.
Since 2009, 1/3 of Americans have been victims of a healthcare company breach. The requirement for healthcare information security is clear. It's time to raise the bar.
Adopt these ten tactics in your healthcare organization to increase the security around your information and systems.
1. Defend The Perimeter
Protecting your perimeter is the starting point for IT security. Having the latest Tier 1 firewall (like Cisco with the Firepower solution), is a good starting point. The latest firewall from 2nd Tier vendors might be OK for a small office, but not OK for an enterprise IT operation with EPHI at risk. Your firewall needs to do more today. At the end of March 2016, 93 percent of phishing emails contained encryption ransomware.* With the rapid evolution of hospital IT security threats, like ransomware, andadvanced malware, you need proactive protection and prevention.
2. Defend Your Endpoints
You can't prevent every single breach. If something does get in, you must have defenses in place to protect your team. Endpoint defense is twofold: Tier 1 antivirus systems and advanced malware protection. Antivirus systems NEED to know what to look for, and not all antivirus systems are created equal, so configuring it to take advantage of the right feature(s), such as allowing for USB controls and enabling device lockouts, is critical. Advanced malware protection guards your endpoints against the more sophisticated threats, like ransomware.
3. Educate Your Team
Training can't be a one-and-done deal, it must be continual. You can have all the systems in place, but if someone gets an email that contains a virus and clicks on the attachment, your systems may be easily breached. Education is the biggest key to protecting your healthcare IT systems because users are the weakest link in the IT security chain. Train your team to watch out for emails or sites that may seem credible but contain pages, logos or links that have been manipulated.
Here are a few suggestions on how to share information and education that will get your teams and clinicians to pay attention:
- Run a phishing test to see who clicks on malicious links or opens attachments - then share the actual possible risk that can be involved if it were a real email containing a virus. Approximately 70% of staff typically follow the phishing link in our Information Security Audit tests, so it’s a very important piece to train employees on. Consider giving out a small prize to those who actually come and confess if they clicked on the link or opened the attachment - creating trust to share if a mistake is made is very important.
- Add a cybersecurity tip column to your internal newsletter or communications.
- Get your CEO on board to create a video (consider a silly or fun video!) letting your staff know about a cybersecurity tip.
- Create cybersecurity training quizzes and recognize the folks who receive 100% on the quizzes.
- Persuade your C-suite/Board to invest in cybersecurity by presenting them with the real repercussion cost scenarios. HIPAA fines for hospitals can total hundreds of thousands of dollars, sometimes millions. Ransomware has cost healthcare organizations additional thousands of dollars to get their data back. A larger cost to consider today is the number of facilities that have literally been shut down for weeks because they can’t access their EHR due to a ransomware attack.
4. Frequently Change Passwords
The frequency with which users should change passwords is often debated. There are really two options to consider with changing passwords. Some recommend that passwords be changed as often as 30, 60 or 90 days. However, this security measure is counteracted when users write down the passwords or simply add a digit, making it easy to hack. We recommend you communicate to your team that passwords must be complex, and when they are changed, they should be completely different from their predecessors. Force this as a best practice through Group Policy. To avoid end user push back, consider providing enhanced authentication tools to make end user experience better, more effective and to get better compliance. A relatively small investment with a big pay off.
5. Adopt Two-Factor Authentication
In some cases, one password isn't good enough. For increased IT security, many organizations implement two-factor authentication programs. Even if your passwords were easily hacked, the hacker would not have access to your second form of identification, like a biometrics scan, badge or keycard. You would still be protected. If you do this right, your end users should see this as you looking out for their best interest and providing tools to improve their productivity.
There are already some states that require two-factor authentication for things like narcotic dosing, and it may not be long before it’s a requirement in any clinical setting, so why not prepare now? Enhanced authentication tools referenced in point #4 is a way to ensure end user compliance.
6. Monitor The Cloud
The cloud, when used and monitored correctly, has the potential to increase your hospital's security. However, it could also increase your vulnerability, as it adds more layers of IT systems that need protection. One key to cloud protection is choosing a secure, private cloud partner.
7. Protect Mobile Devices
Because mobile devices are in hands at all times, they're a critical security concern. What people can and can't put on their phones should be restricted, and security measures should be in place to keep mobile devices from becoming breaches. Your organization must have the ability to shut down a mobile device if a breach is detected.
8. Create A Security Budget
Healthcare has spent an average of 3% of their IT budget on cybersecurity. Compare that to the banking industry, which has long spent 7-9% of their IT budget on cybersecurity. More of your IT budget needs to be allocated for cybersecurity purposes, you simply cannot cut corners and effectively protect yourself.
9. Create a Crisis Communication Plan
If (and likely when) you face a security breach in your hospital, you must also have a strong communication plan in place to address it. Develop an understandable, repeatable plan that your entire staff can follow. You should have a chain of breach notification, reaching from your hospital IT team to your IT leadership team to your legal team and all the way up to your C-suite. Most organizations today invest in IT cybersecurity insurance. Those insurers can be a great asset for plan development at no extra cost by providing guidelines, templates and tools.
10. Have a Backup/Archive Plan in Place
You'll need to make sure you have a backup and archiving plan to ensure that your data can be successfully and reliably restored. Recovery from backup is still the most safe and reliable resolution path for a ransomware attack. After the ransomware event happens is not the time to validate the quality of your backups. So audit your backup and RECOVERY solutions now against best practice and then develop a discipline and proactive test recovery process. However, it's not enough to just back up and replicate data. You must consider archiving as part of your total strategy. Here is a glimpse into our archive/retention policy:
- Daily removable media kept offsite utilizing a two week rotation
- Weekly removable media kept off site utilizing a four week rotation
- Monthly removable media kept offsite utilizing a twelvve month rotation
- Yearly removable media will be kept offsite for multiple years
- Removable media is in a secure offsite location, at a distance that mitigates impact from a single event. Be sure the off-site location allows emergency, off-hours access that meets recovery time objectives
- Simple file recovery tests are performed monthly - randomizing recovery test files to validate different segments of the backup each month
Securing your healthcare organization's IT systems doesn't begin and end with your IT team. This is a threat that affects every user at every endpoint, and your entire organization needs to be on board, working to keep your systems secure.
A culture of security awareness should be created through education, planning, monitoring and communication. It's always better to be safe than sorry when it comes to IT security.
Want to learn more about IT security measures for your hospital? Our down-to-earth cybersecurity representatives are helping community hospitals and clinics with these strategies every day. Give us a call and we'll see how we can help!
Other Security Blogs and Resources You May Be Interested In:
- Risk Assessments & Information Security Audit Services