The healthcare industry was riddled with cybersecurity issues in 2016 as ransomware, human error, IoT flaws and hacking attempts were some of the biggest problem areas.
The good news is that it appears the industry is taking notice and attempting to secure its vulnerabilities. The bad news? There is still a long way to go to protect valuable patient data and keep it out of cybercriminals' hands.
We spoke with four security experts: ESET Security Researcher Lysa Myers; CynergisTek co-founder and CEO Mac McMillan; ICIT Senior Fellow James Scott; and Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney.
Here's what they said organizations need to be doing this year to reduce their vulnerabilities:
1. Risk assessments. "Most organizations have limited funding," Myers said. "Risk assessments help identify what really needs to be protected, and how to get the best bang for the buck for your security budget." Further, clear documentation can help security teams plead the case for funding. Hepp added organizations should make recommendations based on assessments to address vulnerabilities.
2. Disaster recovery and contingency plans. An effective plan addresses not only access to medical and billing records, but contingencies for email, departments reliant upon the network and departments with high-tech equipment like, lab, pharmacy or imaging services, Hepp said. McMillan explained practicing the plan is crucial: "Involve staff, not just IT or managers in exercises, consider worst case scenarios for loss of power, communications, network and others to ensure staff can actually do their job without the system."
3. Dedicated Sec-Op teams."Depending on 'Bob the IT guy' who is not a security expert to defend a network is not effective," Scott said. Organizations need a dedicated Sec-Op team to handle security, hunt threats, educate staff on latest threats and perform pen tests.
4. Business associate/vendor scrutiny. Organizations must thoroughly vet business associates by reviewing vendors' risk assessments and requiring indemnification provisions and cybersecurity insurance in business associate agreements. For Scott, organizations should pick vendors with a demonstrated track record with 'security by design' – a security method that uses continuous testing, authentication safeguards and adherence.
5. Better employee training."Most companies train once, if at all, and may never revisit the information," Myers said. "By comparison, most places have fire drills regularly and frequently, so that employees will know without thinking what they need to do in an emergency." Education also needs to be simplified, to make it easier to understand and commit to memory. According to Hepp, organizations should conduct mock phishing attempts to raise staff awareness. For McMillan, organizations must go deeper: "Computer-based training may be easy, but it is hardly effective," he said. "Use multiple platforms, but ensure that some methods used involve experiential learning such as tabletops, exercises and tests, among others."
6. Layered defense. "Many organizations are under the delusion they can detect and respond, and they're not layering their defenses," Scott said. "The CISO should be looking at targeted areas where he or she can add to various layers of cyber defense. But there's still not enough movement in this area."
7. Improved tech hygiene. System upgrades and patches must be up-to-date and routinely checked minimize system vulnerabilities and hacking attempts. Hepp explained systems must also be routinely monitored for inappropriate activity. And, as always, back-up systems to prepare for ransomware attacks or other system outages. Scott extended this further to "securing equipment within that IoT microcosm, which will thwart a lot of those exploits that are so readily available."
8. Cybersecurity partnerships. Partnering with the right organizations can assure the success of your cybersecurity strategy: for resources, expertise, experience and capabilities, McMillan said. "Areas like risk analysis, testing, incident response, activity monitoring, security analysis are all good candidates for achieving greater efficacy." Additionally, organizations need to "embrace sharing of cybersecurity information. For example, initiate a local or regional ISAO Standards Organization with other healthcare entities in your region."
9. Better software. While there is "a whole litany of technologies" healthcare organizations should consider, McMillan said his short list would include: next-generation firewalls, advanced malware detection, email and web gateways, multi-factor authentication, encryption, vaulting solutions and outsourcing security information and event management – among others.
10. Forensic consultants. Before an organization faces a crisis, Hepp said organizations should engage a forensic consultant to provide insights on weaknesses, liabilities and security reports.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com