Cybersecurity is a major concern in every industry, but it is even more critical in storing customers’ sensitive data. The healthcare industry faces additional scrutiny in the way of regulatory guidelines like the Health Insurance Portability and Accountability Act (HIPAA). When you factor in the possible retention of payment details or payment processing information, you add another layer of regulations and the accompanying fines and penalties for their violations. Patient data and other protected health information sell for nearly 10 times the cost of a stolen credit card number on the dark web for a reason, and cyber criminals focus on this industry for that profit.
Couple that with the civil lawsuits you can almost guarantee to face from the affected parties after a data breach that resulted in regulatory violations. You can see why it’s so important to harden your cybersecurity posture. With the continual additions of internet-connected medical devices in treatment facilities, increased use of third-party vendors for a wide range of services, and the correlated increase in liability, it’s a wonder that healthcare risk managers and cyber security personnel can sleep at all. Keep reading for some integral tips to help improve cyber security in the healthcare industry.
Healthcare Cyber Security Improvements
Perform Regular Risk Assessments
Regular risk assessments are a key component of a robust risk and vendor management program. When used with some of our time management tips for vendor risk managers, regularly scheduled risk assessments can keep you abreast of the rapidly changing threat landscape in a field that has rocketed light years ahead of where anyone could have expected technology-wise in just a few short decades. Finding these unexpected vulnerabilities before they’re exploited by third parties is a must.
Install Updates and Patches on All Devices and Systems
We always recommend that updates and patches be installed promptly on all devices and systems. This is doubly important when talking about medical device operating systems and other devices connected to secured internal networks. We’ve said it before, but failing to secure devices that will connect to your network renders useless all the work you’ve done to secure that network in the first place. Mobile devices require increased scrutiny in healthcare because their access to electronic health records and other files is of greatest concern.
Train Your Staff
With a workforce comprised of medical specialists, it’s important to impress upon them the cyber security concerns that your enterprise faces and demonstrate how important their actions are when it comes to enhancing your security posture. Without providing concrete examples and realistic, engaging training, you cannot take for granted that these highly trained and educated individuals will inherently understand the security risks involved. Past examples of data breaches, successful attacks, and even mock phishing attempts should all be used to drive home the importance of following security rules and making cybersecurity a part of everyone’s role. A culture of security is easier to embrace when everyone understands the need.
Practice Good Password Hygiene
Passwords should be required to access every desktop, terminal, mobile device, connected medical device, and the healthcare system. Anything that houses protected health information or electronic health records must be secured. Enabling rules that require strong passwords, multifactor authentication, biometric security, and other security features ensure these passwords are effective.
You can encourage using a password manager application or buy a password management service for your staff members if finances permit. While that is an added expense and another service to manage, it leaves your employees little reason not to take advantage of a much more secure password storage method. Some services even offer password generation, encrypted notes, and shared passwords for personnel accessing certain systems under one login.
Use a Configured Firewall
Unlike a stock setup, a specially configured firewall can help secure your healthcare systems better and ensure that inbound and outbound traffic is coming from and going to expected and trusted locations. With remote and telehealth personnel potentially logging in from a wide range of locations, you must be certain that those connecting to your systems are who they purport to be. Whether you settle on a software or hardware firewall, you should use an expert to configure the product with the best settings to secure your network while still allowing your business to function without unnecessary difficulty.
Layer Cyber Security Defenses
Think of the physical intrusion security measures that healthcare organizations take at a place like a hospital or a research facility. Guards, locked doors, cameras, and alarms are all regularly put in place to secure protected areas of the buildings. This is the same way you should structure your cyber security measures. Layering multiple active and passive defenses like firewalls, antivirus programs, network segmentation, access application white lists for certain medical devices, and backups of critical data provides the best protection for your sensitive data.
Store Backups of Critical Information Securely
We mentioned it above, but regularly backing up your critical data is extremely important. This is even more true in an industry with a proven target for ransomware attacks. We recommend that your critical systems are backed up at least daily. Your executives will be less likely to be tempted to pay a ransom if they’re only looking at the loss of several hours of data versus the potential loss of weeks or months. The best location to store these backup files is offline. While that presents its own challenges, it is the most secure place to keep these essential files that hopefully would not be compromised even with a complete breach of your online healthcare systems.
Implement Response and Recovery Plans
One of the absolute best ways to improve your cyber security posture is to look at a potential data breach as a matter of “if” and not “when.” That simple paradigm shift alters how you approach a topic of such importance—ensuring that disaster response and recovery plans are formulated and in place before any breach occurs is a central tenet of true preparedness. Recovery from a data breach in the healthcare industry is estimated to cost $408 per patient data record compromised, as opposed to $148 for a stolen non-health record. That substantial cost alone warrants prior planning to make sure the proper procedures are implemented as quickly as possible to limit exposure.
While these steps can help you improve cyber security in a healthcare enterprise, they’re not a substitute for a robust risk management process. We specialize in third-party vendor risk management solutions at Venture Lynk Risk Management. Our team of vendor risk management specialists and cyber security experts can provide a wealth of subject matter expertise to leverage for various tasks. Contact us today to see our services for your unique situation.