It’s week three of the Cybersecurity and Infrastructure Agency’s (CISA) Cybersecurity Awareness Month. Last week we looked at securing devices at home and work. This week let’s dig into an industry with some of the most sensitive data around—healthcare. In this piece, we’ll delve into some key tips for securing the internet-connected devices hospitals, clinics, and other healthcare organizations depend on.
Healthcare’s Cybersecurity Problem
Since healthcare facilities have electronically protected health information (ePHI) for every patient in their care, it’s easy to see why they’d be a target for cyberattacks. What cyber villain wouldn’t want to get his or her hands on such large troves of sensitive data? While government regulations like the Health Insurance Portability and Accountability Act (HIPAA) require healthcare providers to beef up security—and threatens fines for those who don’t—there’s still a lot of room for improvement. In fact, a report by Protenus revealed that 41 million patient records were breached in 2019. This year, even big healthcare industry names like Universal Health Services have been brought to their knees by sophisticated ransomware attacks.
So, what can healthcare providers do to fight back?
Consider Banning BYOD in Your Clinic
As we explored in our previous post, the boundaries between work and home are blurring. In order to prevent sensitive patient information from ending up on healthcare workers’ personal devices—where it is more susceptible to theft or a breach—provide them with dedicated devices. This might include laptops, smartphones, tablets, or even secure USB devices. On top of that, be sure employees understand and follow bring-your-own-device policies, particularly as they relate to ePHI.
Use VPNs Vigilantly
A VPN is a no-brainer for healthcare organizations. And, while you want users to have access to the data they need to do their jobs, you may want to block anything that could allow malicious code to enter your network. That’s why many admins use their VPN to whitelist certain devices, applications, and software behaviors while treating everything else as a potential threat. Though users may prefer to have broader access to applications, security demands should take precedent.
Create a Backup and Disaster Recovery Plan
Admins familiar with HIPAA know that data backups are a requirement. These backups must be secure and encrypted, even in transit. But healthcare providers need to do more. In an industry where timely access to information can mean the difference between life and death, there can be zero tolerance for downtime. That’s why providers must develop fast, highly sophisticated recovery plans so if downtime strikes due to Mother Nature, hardware failure, ransomware, or any other cause, they can recover fast, giving caregivers access to the info they need to treat the people who count on them.
Key Fobs and Other Physical Security
According to Protenus, there has been a 20% decrease in insider-related healthcare data breach incidents. While this is encouraging, healthcare providers must still be careful to physically protect sensitive data. Basic security measures like cameras, access cards, and even passwords that prevent endpoint access are all critical. These measures can prevent the wrong people—inside or outside of your organization—from accessing private data. Though many clinics and hospitals have these measures in place, it’s still wise to audit your physical security capabilities.
Hire an IT Consultant
Cybersecurity requires a specialized set of skills and tools. Not all IT admins have the knowledge it takes to develop a comprehensive cybersecurity plan, let alone execute it. That’s why many healthcare providers look to IT managed service providers (MSPs) for help. MSPs often specialize in industries like healthcare, bringing expertise with both HIPAA and cybersecurity. If you’re not sure where your security gaps are—or how to fill them—consider bringing in outside talent to boost your security profile.
In our next post for Cybersecurity Awareness Month, we’ll focus on the future of connected devices.