Tag: cybersecurity

Does Your Cybersecurity Program Have What It Takes?

At a time when the risks of hacking into our health data has never been higher, we catch up with Dan Dodson, President of Fortified Health Security – to give us his views on where the risk is – and what you can do about it. This is what Dan says:

Hackers have clearly placed a bullseye on healthcare organizations. Cybersecurity breaches continue to occur among healthcare providers so pervasively that their numbers exceed those of health plans and business associates combined. Steps must be taken to protect patients, whether from ransomware or connected medical devices attacks, the stakes are simply too high.

Any significant cybersecurity breach results in a big drop in patient confidence. Pressure for patients, as well as inside organizations, are forcing healthcare providers to guard their reputations, develop strategies for better patient engagement and provide increased amounts of sensitive data to multiple interconnected devices.

It’s important for a healthcare organization to recognize the potential impacts of a breach on their organization before one occurs instead of only investing in cybersecurity after they have been negatively impacted by an incident. Yet, at that point, it may be too late for some patients. Reports suggest that nearly forty percent of consumers would abandon or hesitate using a health organization if it is hacked. Fifty percent of consumers would avoid or be wary of using a medical device if a breach was reported and thirty-eight percent would be wary of using a hospital associated with a previously hacked device.

The best prevention against any attack is understanding the fundamentals of a strong cybersecurity program. With proactive employee involvement, a clear process to identify and prevent cybersecurity threats, and understanding that technology is only part of the equation, healthcare providers can better serve and protect patients.

In my view, there are three simple steps that you can take.

Employee training is the first line of defense against hackers.

Your employees are your first line of defense to prevent successful attacks and/or breaches. Educating your employees/users on threats to your organization, safe web browsing practices, the hazards of clicking embedded links or opening attachments in unverified emails, and to scrutinize emails before opening them are just some of the basics.

In order to take your employees’ education to the next level, you should conduct simulated social engineering exercises and campaigns. This will give employees “real world” experience in dealing with such attacks. Social engineering is still the easiest and most effective way that malicious individuals are able to access sensitive information.

Have a process to identify and prevent cybersecurity threats.

Cybersecurity starts with people, but must be strengthened by processes for backups, incident reports, breach notifications, and disaster recovery. It is critical that organizations develop a multi-phased vulnerability management process that includes vulnerability scanning, risk acceptance, and remediation for security risks.

This process is critical to recognizing the potential impacts of a breach on your organization before one occurs so it is clear what steps your team will take to protect patient data. Far too often, healthcare organizations only start investing in a cybersecurity process after they have been negatively impacted by an incident, and at that point, it may be too late for some patients.

Cybersecurity is more than just technology.

Technology by itself is not the answer to protect an organization from a cybersecurity attack, but combined with dedicated people and a defined process, it completes the cybersecurity prevention trifecta.

Technologies such as Security Information and Event Management (SIEM), Data Loss Prevention or Intrusion Prevention Systems (IPS) can be leveraged to identify and even react to a ransomware attack as it is happening. Custom policy and rulesets can be utilized to alert in real time that there is something awry within the operating environment. Additionally, Network Access Control (NAC) platforms could make the isolation of infected devices quicker and easier.

Stakes are too high to put patients at risk.

Cybersecurity threats at their core are patient safety risks. The stakes are high and if you wait until after a breach or attack to take action, it’s too late. The best prevention against any attack is a proactive security strategy built around people, process and technology. Now that you know the fundamentals, lead your healthcare organization through a HIPAA Risk Analysis to see if your organization has what it takes. Remember, protecting your organization from a cybersecurity threat is a journey that requires constant attention and never stops.

About the Author

Dan L. Dodson serves as President of Fortified Health Security where he helps healthcare organizations effectively develop the best path forward for their security program based on their unique situation. Dan currently serves on the Southern Methodist University Cyber Security Advisory Board. Dan holds a M.B.A. in Health Organization Management and a B.S. in Accounting and Finance from Texas Tech University.

Cybersecurity again in the News…

We look briefly at two companies that have got in touch…

Fortified Health Security have recently recently partnered with Beacon Health System to strengthen the health system’s overarching cybersecurity program. Their Kristin Deuber writes to us to say:

“The program kicked off in April 2017, during the formation of Beacon, which required the health system to consolidate policies and to implement a more unified and centralized cybersecurity program. Fortified discovered through its baseline research that the health system had moderate cybersecurity system development with data loss prevention, and had deployed a SIEM solution on limited systems. In addition, like most healthcare organizations today, there was zero SIEM visibility into their medical device inventory, as well as the risks associated with those connected devices.”  She attached some deeper info, which is available on demand from us here at ProfoMedia. And we have invited their President, Dan Dodson,  to write a guest article – so watch this space.

Also out of the blue, is the Proficio company, whose Tamara Yaravoy says that they have won some eleven Cybersecurity Excellence Awards. This is clearly better than my 200 mtrs  swimming certificate when I was a kid.  She goes on to explain in more detail:

“In the Cybersecurity Excellence Awards, Proficio won gold in the Best Managed Security Services and Cybersecurity Team of the Year – North America categories. The company was also recognized with a bronze award in the Best Cybersecurity Company category, where they had competed against forty other cybersecurity companies.

Proficio secured top honors in the Info Security PG’s Global Excellence Awards, placing in four different categories. The company won gold in the Cyber Security Vendor Achievement of the Year category for significantly expanding its operations in North America, EMEA, and APAC, silver for Best Security Company of the Year (Services), bronze in the Best Overall Security Company of the Year category, silver in the Managed Security Services category for its SOC-as-a-Service offering, and bronze in the Managed Security Services category for its Splunk Enterprise and Splunk Enterprise Security services. Proficio was the only cybersecurity company to be recognized with two awards in the Managed Security Services category.

In the Cloud Computing Excellence Awards, Proficio was recognized for excellence and innovation in their SOC-as-a-Service offering. Proficio was one of only nine companies selected for this award which honors vendors that have most effectively leveraged cloud computing in their efforts to bring new, differentiated offerings to market.

Proficio was once again awarded a placement on the Security 100 of CRN’s 2018 MSP 500 list as well as San Diego Business Journal’s Top Cybersecurity Organization List. The CRN Security 100 list is designed to help partners wade through the ever-expanding security market, from the long-standing legacy vendors to the niche players, and navigate the fast-growing security vendor market.”

Cyber security in healthcare,  is expected to be the target of choice for those malovelences trying to destabilise how our services work. Last year’s attacks on UK hospitals showed the issues of Windows XP reliance, and that was just a baseline start.

You can look back at our earlier pages on other cyber vendors. Do contact these and the above vendors as this topic will become more visible as the year goes on.