Every day, it seems, cyber criminals figure out new ways to attack hospitals and compromise patient data and safety. As the number and intensity of cyber attacks on healthcare organizations increase, the task of establishing an effective cybersecurity program can seem overwhelming.
The good news is that no matter where an organization is in developing a comprehensive cyber risk management program, there are steps one can take to strengthen that program. The steps and strategies outlined below range from simple, low-cost fixes to long-term, strategic improvements. What they have in common is that each step will move an organization further along the continuum from deploying a merely tactical approach to cybersecurity to developing an effective, enterprise-wide, cyber risk management program.
STEPS TO TAKE NOW
Apply Software Patches – This step falls in the category of “so obvious it shouldn’t need to be mentioned.” But sometimes the easiest security strategies are also the most overlooked. The 2017 Equifax breach that exposed the data of more than 145 million people was widely reported to be the result of a web-application vulnerability. But the application vendor stated a patch for the vulnerability had been available for at least two months prior to the Equifax attack. The moral of the story? Apply software and application updates and patches as soon as they become available. Cyber criminals count on the fact that many organizations don’t consistently apply updates and patches, and that makes it easy for them to exploit known vulnerabilities. (Cost: free)
Train Your Workforce – It only takes the mistake of a single employee or volunteer to expose an entire hospital system to a cyberattack. One click on a phishing email, or one employee using “123456” for a password, can leave an entire network exposed. That is why workforce training is so important. Every person who accesses the hospital network — from the volunteer who works in patient reception to the Chief Executive Officer — must be trained in cybersecurity best practices at the user level. User training can be delivered in a variety of forms, anything from mandatory face-to-face sessions with trained staff, to self-paced webinars, to vendor-provided offerings. Many organizations have had success with mock phishing programs, where the organization itself sends out “phishing” emails, and then requires further training for any employee who takes the bait. The point is not to be punitive, but to ensure those employees most at risk for clicking on fraudulent emails receive the training they need to avoid future mistakes. (Cost: varies, from free to $$$)
Educate Your Board – Today’s cyber attacks aren’t like yesterday’s technical inconveniences. The strength and sophistication of today’s attacks threaten the entire enterprise. Data breaches can lead to fines, penalties, legal costs, class settlements and reputational damage running to tens of millions of dollars. In addition, a hospital shut-down due to a ransomware attack, or hackers accessing internet-connected medical devices, can threaten patient safety. Board members need to understand the scope, likelihood and potential impacts of cybersecurity attacks in order to make informed decisions about budgeting resources to mitigate cyberrisk. (Cost: free)
STEPS TO TAKE IN THE NEAR FUTURE
Adopt a Framework (NIST) – Trying to establish an cyber risk management program without first adopting a framework is like trying to build a house without a blueprint. Adopting a cybersecurity framework enables an organization to build a cohesive, enterprise-wide information risk management program rather than taking a piecemeal approach. The right framework helps an organization talk about, assess, define, benchmark and improve their information risk management program. The cybersecurity framework developed by the National Institute of Standards and Technology (NIST CSF) has become a de facto standard within the healthcare industry and beyond. The NIST CSF takes best practices in information risk management and articulates them as actionable processes. Even better, the entire framework and supporting resources are free and available on the NIST website. For detailed information on why the NIST CSF is the best choice for healthcare organizations, please download the white paper, “Choosing an Information Risk Management Framework: The Case for the NIST Cybersecurity Framework (CSF) in Healthcare Organizations.”
Perform a Risk Analysis – An organization’s cyber risk is directly related to that organization’s unique information assets. Information assets include everything from electronic health record applications, to patient monitoring devices, to networking hardware, software, security and services. Until an organization conducts a thorough inventory of each asset, and analyzes the threats and vulnerabilities associated with each asset, they won’t have a good sense of what their risks are. Some organizations take on this task in-house. Others choose third-party assistance, because the investment of IT resources in terms of time and effort can be daunting. Guidance for conducting a risk analysis can be found on both the NIST website and on the U.S. Department of Health and Human Services (HHS) website. (Cost: varies)
Establish Risk Priorities – Once an organization has completed a comprehensive risk analysis, the next step is to identify which risks demand immediate mitigation versus which risks can be tolerated for the time being. Because risks are infinite and resources are not, it is not possible to implement an information risk management program that mitigates every risk. However, it is possible to identify which risks are most important to address, based on their likelihood and impact. This prioritization enables organizations to deploy cybersecurity resources in the areas in which they will have the greatest effect. (Cost: varies. Establishing risk priorities is essentially an internal task, but the success of the task will depend upon the adequacy of the risk analysis performed).
The steps listed above are only starting points for an enterprise-wide cyber risk management program. A comprehensive program will include many other elements, including establishing processes, policies and procedures that address the five key components of a comprehensive program: governance, people, process, technology and engagement. It is also important to remember that establishing an effective cyber risk management program is not a “once-and-done” activity. As both the internal environment (the organization’s assets, people, technologies, etc.) and the external environment (nature, type and frequency of cyber threats) change, the organization’s cyber risk management program will need to evolve as well.
There is no doubt that establishing and maintaining an effective cyber risk management program is a formidable task. But it is not an impossible one. Start with the steps listed above. Use the resources that are freely available from NIST and HHS. Reach out to peers and associates within the industry: ask what are they doing to mitigate cyber risks within their organizations and what resources have they used that have been most helpful. Whether an organization chooses to go it alone or to work with a partner, there are solid steps you can take now to begin to fight back against cyber attacks.
Is it time for your annual cybersecurity checkup?
OCR recommends healthcare organizations perform security risk assessments annually to help ensure the confidentiality, integrity and availability of the ePHI the organization creates, receives and transmits. During the month of October, Clearwater invites you to find out where you stand and receive a clear plan of action by implementing a “cyber risk checkup” through Clearwater’s 10-Point Tactical HIPAA Compliance & Cyber Risk Management Assessment™.