[BreachExchange] 5 Best Practices for Maximizing Health IT Security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Aug 29 19:11:52 EDT 2017


https://informationweek.com/strategic-cio/security-and-risk-strategy/5-best-
practices-for-maximizing-health-it-security/a/d-id/1328791

Nearly every industry is susceptible to the dangers of cybercrime, however
hospitals and healthcare organizations face the most risk when it comes to
malicious hackers. With complex infrastructure and a variety of devices in
use, healthcare organizations provide an abundance of entry and pivot
points for cybercriminals to exploit.

Additionally, according to the Ponemon Institute, patient-generated health
data is selling for more money than any other kind of information on the
black market, at $363 per record on average.

Of all the attacks on hospitals and health organizations over the past few
years, ransomware has emerged as the most feared hacking technique. In some
cases, ransomware allows hackers to block access to data until a sum of
money is paid, and according to recent research, 88% of all ransomware
attacks hit hospitals. Last March, 3 U.S. hospitals were hit with
ransomware attacks in just one week, and one Los Angeles-based hospital was
forced to pay hackers $17,000 just to regain access to its electronic
health records.

To combat the ubiquity of cybercrime and ransomware attacks in particular,
hospitals and healthcare organizations need to keep up with the evolving
threat landscape and recognize the most common areas of cybersecurity risk.
Below are five tactical tips healthcare organizations should implement to
maximize their security efforts and achieve compliance:

1. Establish a security plan. With the healthcare IT landscape changing so
rapidly, it’s essential that healthcare organizations continually plan for
the future. To best leverage your available resources and improve upon your
existing security measures, establish a formal security management plan
that outlines key factors like where your sensitive data is being stored,
how you’ll secure your assets, and what combination of processes, controls,
tools, people, and procedures will be used to stay secure. Make sure to
update this plan annually, and include information that will cover your
cybersecurity needs for the next three years.

2. Prioritize offline storage. In an attempt to manage the growing costs
associated with healthcare data requirements, many healthcare organizations
have tried to reduce their offline storage by using large file shares on a
RAID array. However this practice can introduce serious risks to data in
the event of a cybersecurity incident. In an industry where lives are
literally at stake, healthcare organizations can’t afford not to have an
offline copy of anything/everything that’s of value. Leverage the cloud to
replicate and store your data, and make sure that your replica is kept
offline and inaccessible to hackers at all times.

3. Secure biomedical devices. Biomedical devices such as MRIs are often
overlooked when it comes to cybersecurity, however these devices are
usually connected to the Internet, making them easy targets for hackers if
they’re left unprotected. Talk to your biomedical device vendors to ensure
their products meet HIPAA compliance and insist that they make any
necessary changes if any insecurities remain. Most providers don’t realize
it, but vendors are required by law to help you maintain a secure
environment, even if their products are already FDA-approved.

4. Educate your users. There’s a lot healthcare organizations can do with
technology to improve their cybersecurity, however even the best software
and tools can’t prevent inadvertent user errors from causing serious
breaches. Make sure every user in your system is aware of the risks they
can introduce, and outline basic security protocols for laptops and mobile
devices to keep security gaps at bay. For instance, make sure employees are
using strong passwords and don’t use the same password across multiple
accounts. Enforce Shadow IT policies so employees aren’t accessing
healthcare systems and/or data via undocumented and/or unapproved devices.
Additionally, educate your employees on how to handle a situation if/when
they think a cybersecurity incident has occurred.

5. Train your patients. Many consumers are starting to ask for control over
their own health data, rather than relying on healthcare providers to
safeguard it. The motives behind this consumer trend are certainly
understandable, however a healthcare organization’s cybersecurity is only
as strong as its weakest link, and all it takes is one consumer -- even a
well-intentioned one -- to cause that chain to break. In addition to
educating your employees, take the time to train your patients on
cybersecurity best practices and make sure they understand their critical
role in the security of their personal health data.

When it comes to cybersecurity, hospitals and healthcare organizations
don’t have it easy. Most are working with massive amounts of unstructured
patient health data that’s difficult to manage and therefore easy for
hackers to access, and many are too resource-strapped to keep up with
proactive cybersecurity efforts. However with patient lives at stake,
healthcare organizations need 100% security at all times; a “B” grade won’t
suffice. Leverage basic cybersecurity best practices to keep your
organization, your data, and your patients safe, and consider implementing
cloud-based technologies to help share the burden of maintaining constant
security and data accessibility.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170829/e81c2ca2/attachment.html>


More information about the BreachExchange mailing list