At a time when the risks of hacking into our health data has never been higher, we catch up with Dan Dodson, President of Fortified Health Security – to give us his views on where the risk is – and what you can do about it. This is what Dan says:
Hackers have clearly placed a bullseye on healthcare organizations. Cybersecurity breaches continue to occur among healthcare providers so pervasively that their numbers exceed those of health plans and business associates combined. Steps must be taken to protect patients, whether from ransomware or connected medical devices attacks, the stakes are simply too high.
Any significant cybersecurity breach results in a big drop in patient confidence. Pressure for patients, as well as inside organizations, are forcing healthcare providers to guard their reputations, develop strategies for better patient engagement and provide increased amounts of sensitive data to multiple interconnected devices.
It’s important for a healthcare organization to recognize the potential impacts of a breach on their organization before one occurs instead of only investing in cybersecurity after they have been negatively impacted by an incident. Yet, at that point, it may be too late for some patients. Reports suggest that nearly forty percent of consumers would abandon or hesitate using a health organization if it is hacked. Fifty percent of consumers would avoid or be wary of using a medical device if a breach was reported and thirty-eight percent would be wary of using a hospital associated with a previously hacked device.
The best prevention against any attack is understanding the fundamentals of a strong cybersecurity program. With proactive employee involvement, a clear process to identify and prevent cybersecurity threats, and understanding that technology is only part of the equation, healthcare providers can better serve and protect patients.
In my view, there are three simple steps that you can take.
Employee training is the first line of defense against hackers.
Your employees are your first line of defense to prevent successful attacks and/or breaches. Educating your employees/users on threats to your organization, safe web browsing practices, the hazards of clicking embedded links or opening attachments in unverified emails, and to scrutinize emails before opening them are just some of the basics.
In order to take your employees’ education to the next level, you should conduct simulated social engineering exercises and campaigns. This will give employees “real world” experience in dealing with such attacks. Social engineering is still the easiest and most effective way that malicious individuals are able to access sensitive information.
Have a process to identify and prevent cybersecurity threats.
Cybersecurity starts with people, but must be strengthened by processes for backups, incident reports, breach notifications, and disaster recovery. It is critical that organizations develop a multi-phased vulnerability management process that includes vulnerability scanning, risk acceptance, and remediation for security risks.
This process is critical to recognizing the potential impacts of a breach on your organization before one occurs so it is clear what steps your team will take to protect patient data. Far too often, healthcare organizations only start investing in a cybersecurity process after they have been negatively impacted by an incident, and at that point, it may be too late for some patients.
Cybersecurity is more than just technology.
Technology by itself is not the answer to protect an organization from a cybersecurity attack, but combined with dedicated people and a defined process, it completes the cybersecurity prevention trifecta.
Technologies such as Security Information and Event Management (SIEM), Data Loss Prevention or Intrusion Prevention Systems (IPS) can be leveraged to identify and even react to a ransomware attack as it is happening. Custom policy and rulesets can be utilized to alert in real time that there is something awry within the operating environment. Additionally, Network Access Control (NAC) platforms could make the isolation of infected devices quicker and easier.
Stakes are too high to put patients at risk.
Cybersecurity threats at their core are patient safety risks. The stakes are high and if you wait until after a breach or attack to take action, it’s too late. The best prevention against any attack is a proactive security strategy built around people, process and technology. Now that you know the fundamentals, lead your healthcare organization through a HIPAA Risk Analysis to see if your organization has what it takes. Remember, protecting your organization from a cybersecurity threat is a journey that requires constant attention and never stops.
About the Author
Dan L. Dodson serves as President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique situation. Dan currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds a M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.