2016 was one of the biggest years for hacking attacks against the Healthcare industry.
The healthcare industry was slammed with attacks and breaches making 2016 one of the worst years in history for cyber-security. Research into each breach revealed that the majority of issues centered around ransomware, human error, and IoT flaws.
While the industry is slowly learning more about breaches and how to protect themselves, the road ahead is long and ever-changing. Hospitals must remain up to date with technology.
Healthcare IT News interviewed four cyber security experts on the best practices institutions must implement. ESET Security Researcher Lysa Myers; CynergisTek co-founder and CEO Mac McMillan; ICIT Senior Fellow James Scott; and Pam Hepp, shareholder, healthcare practice at Buchanan, Ingersoll & Rooney all gave their input to create the "top ten cyber-security must haves" for 2017.
Here's what they said organizations need to be doing this year to reduce their vulnerabilities:
1. Risk assessments. "Most organizations have limited funding," Myers said. "Risk assessments help identify what really needs to be protected, and how to get the best bang for the buck for your security budget." Further, clear documentation can help security teams plead the case for funding. Hepp added organizations should make recommendations based on assessments to address vulnerabilities.
2. Disaster recovery and contingency plans. An effective plan addresses not only access to medical and billing records, but contingencies for email, departments reliant upon the network and departments with high-tech equipment like, lab, pharmacy or imaging services, Hepp said. McMillan explained practicing the plan is crucial: "Involve staff, not just IT or managers in exercises, consider worst case scenarios for loss of power, communications, network and others to ensure staff can actually do their job without the system."
3. Dedicated Sec-Op teams. "Depending on 'Bob the IT guy' who is not a security expert to defend a network is not effective," Scott said. Organizations need a dedicated Sec-Op team to handle security, hunt threats, educate staff on latest threats and perform pen tests.
4. Business associate/vendor scrutiny. Organizations must thoroughly vet business associates by reviewing vendors' risk assessments and requiring indemnification provisions and cybersecurity insurance in business associate agreements. For Scott, organizations should pick vendors with a demonstrated track record with 'security by design' – a security method that uses continuous testing, authentication safeguards and adherence.
5. Better employee training. "Most companies train once, if at all, and may never revisit the information," Myers said. "By comparison, most places have fire drills regularly and frequently, so that employees will know without thinking what they need to do in an emergency." Education also needs to be simplified, to make it easier to understand and commit to memory. According to Hepp, organizations should conduct mock phishing attempts to raise staff awareness. For McMillan, organizations must go deeper: "Computer-based training may be easy, but it is hardly effective," he said. "Use multiple platforms, but ensure that some methods used involve experiential learning such as tabletops, exercises and tests, among others."
6. Layered defense. "Many organizations are under the delusion they can detect and respond, and they're not layering their defenses," Scott said. "The CISO should be looking at targeted areas where he or she can add to various layers of cyber defense. But there's still not enough movement in this area."
7. Improved tech hygiene. System upgrades and patches must be up-to-date and routinely checked minimize system vulnerabilities and hacking attempts. Hepp explained systems must also be routinely monitored for inappropriate activity. And, as always, back-up systems to prepare for ransomware attacks or other system outages. Scott extended this further to "securing equipment within that IoT microcosm, which will thwart a lot of those exploits that are so readily available."
8. Cybersecurity partnerships. Partnering with the right organizations can assure the success of your cybersecurity strategy: for resources, expertise, experience and capabilities, McMillan said. "Areas like risk analysis, testing, incident response, activity monitoring, security analysis are all good candidates for achieving greater efficacy." Additionally, organizations need to "embrace sharing of cybersecurity information. For example, initiate a local or regional ISAO Standards Organization with other healthcare entities in your region."
9. Better software. While there is "a whole litany of technologies" healthcare organizations should consider, McMillan said his short list would include: next-generation firewalls, advanced malware detection, email and web gateways, multi-factor authentication, encryption, vaulting solutions and outsourcing security information and event management – among others.
10. Forensic consultants. Before an organization faces a crisis, Hepp said organizations should engage a forensic consultant to provide insights on weaknesses, liabilities and security reports.
Take Tritium's FREE online security assessment today and discover where your business stands.
Don’t become a victim, protect your clients and take your free online assessment today!
Source: Healthcare IT News