Not too long ago, “WannaCry,” a ransomware attack significantly impacted organizations around the globe last month. Another attack – “Petya” – spread quickly impacting Microsoft Windows-based computers. These types of attacks continue to be a major threat to information for all organizations.
In a recent report to Congress, the Healthcare Industry Cybersecurity (HCIC) Task Force made it clear: how now more than ever, all health care delivery organizations have a greater responsibility to security their systems, medical devices, and patient data. The Task Force also acknowledged that most healthcare organizations face significant resource constraints due to low operating margins, and how many organizations may not be able to afford cybersecurity personnel.
According to the Task Force, “Cybersecurity is a key public health concern that needs immediate and aggressive attention.” Whether through culture shifts and increased communication to and from leadership, or changes in the way healthcare professionals perform their duties in the clinical environment, it is important to prioritize cybersecurity within the healthcare industry.
The Task Force identified six high-level imperatives to help them organize recommendations and action items. The Task Force Imperatives are:
- Define and streamline leadership, governess, and expectations for healthcare industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the health care workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capacities.
- Increase health care industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
What can your Organization do to Make Cybersecurity a Priority?
We believe there are simple steps your organization can take immediately to aggressively prevent Cyberattacks. The following list is by no means all inclusive; rather, they are six recommendations for healthcare organizations to consider:
- Batten down the hatches – According to the Department of Health and Human Services (HHS), “HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information.” For example, to protect your data from malicious software it is important for systems to be up-to-date with patches and updates. It is important to install anti-virus software that performs regular scans and updates. You may also consider installing anti-spyware and anti-adware software performs regular scans and updates.
- Know your devices – Anyone who has performed a Security Risk Analysis (SRA) with us knows we ask about your inventory. Do you know all of your devices (or employee owned devices) that are permitted to access electronic protected health information (ePHI)? It is very important to maintain an inventory of what devices and individuals are allowed to access information. For example, your inventory might include the device description (e.g. laptop and serial number), the location of the device (e.g. nurses station), and who is permitted to use the laptop (e.g. clinical staff).
- Just say no to weak passwords – Weak passwords continue to be a threat to data in the healthcare industry. Just say no to weak passwords by using strong passwords that are case sensitive, require a combination of letters, numbers and special characters. In addition, password length should be at least 6, preferably 8 characters in length. Your passwords should be changed periodically (i.e. once per quarter), and not reused. Finally, passwords should never be shared with anyone and should not be something easy to guess, such as the name of your family pet.
- Identify deficiencies – What are potential threats to your data? Have you identified deficiencies that pose a risk to your information? Simply taking a look around, such as during a HIPAA Walkthrough, or performing a SRA on an annual basis, are simple steps to identify deficiencies that may need to be remedies to prevent impermissible use or loss of your information. The next step requires having a plan in place to address the identified deficiencies.
- Make improvements – Some improvements should be made immediately and others can be made over time. As long as deficiencies are addressed, your action plan is a powerful tool for proactively preventing cyber criminals from attacking your organization. For example, during your SRA you noticed your backups are stored in an unlocked room on unencrypted tapes. You determine this is a risk to patient information. You might determine an immediate step to take is requiring the door where steps are stored to be locked. A step you could take over time is to require your backups to be encrypted.
- Be on the lookout – See something suspicious? Don’t click on it. Receive something that doesn’t look quite right? Don’t open it. Be on the lookout for potential threats to your information. It is much easier to prevent an incident from happening than it is to cure the damage once it has occurred.
We can help
Whether you need help battening down the hatches, maintaining an inventory of your devices, or help with any other steps you can take for preventing Cyber Attacks, we have tools and resources to help your organization aggressively prevent Cyber Attacks.