A recent study conducted by Wombat Security found that the healthcare industry is one of the most ill prepared when it comes to cybersecurity.
Hospitals are particularly vulnerable. According to the Journal of Medical Internet Research, data security breaches have the potential to cost a single hospital as much as $7 million, including fines, litigation and damaged reputation. Yet, despite these considerable risks and regulatory pressures from HIPAA to secure patient data, only 37% of hospitals currently conduct annual incident response exercises and other periodic security checks.
Technically speaking, hospitals and clinics are very complex organizations, to be sure, so securing all devices and systems is no easy task. Still, there are some cybersecurity precautions every healthcare facility can take to reduce the likelihood of an attack. Here are 10 of the most basic:
- Conduct periodic risk assessments, evaluating all of the ways the organization is susceptible to attack:
- Active attempts by hackers to infiltrate the network
- Distributed Denial-of-Service (DDOS) attacks
- Viruses, malware and ransom threats introduced through Internet use and infected devices connected to the network
- Deliberate theft or corruption of data or equipment by employees
- Data loss through hardware failures or software bugs
A plan of action should be in place for how to deal with each of these risks.
- Designate a specialist.
Assign one individual to be the go-to expert on all things cybersecurity-related. This person will need to study the government’s compliance requirements to ensure that all guidelines are being met and see to it that all operating systems and software remain up-to-date and all medical equipment firmware is patched.
- Get the fundamentals right.
- Make sure all passwords are strong (a minimum of 8–10 characters with a mixture of upper and lower case letters, numbers and symbols) and are changed regularly.
- Use security logs to monitor suspicious login attempts.
- Remove unnecessary accounts, including those of ex-employees.
- Restrict access to dubious websites, social media and chat clients on those computers and devices used for patient care and hospital business.
- Eliminate outdated software.
- Encrypt all data.
No patient information should ever be stored unencrypted. In addition, make sure all old documents are destroyed and discarded properly.
- Install the latest firewall software.
Also, make sure all servers are physically secure—either housed in locked rooms or under the surveillance of security cameras.
- Install mobile device management software (MDM) on all mobile devices, including those taken offsite.
- Document all security and privacy procedures—to remain compliant.
- Conduct ongoing evaluation and auditing.
Continually assess what’s working well and what needs to be improved.
- Maintain ongoing cybersecurity and training for all hospital employees.
- Finally, have a contingency and disaster recovery plan in place, specifying:
- What data needs to be backed up
- How and where to maintain a data archive (offsite or onsite)
- How to restore backups quickly after a disaster
Following these 10 basic guidelines can go a long way to ensure your hospital customers are cybersecurity-ready. Having the right security systems in place is important, too. As their IT security expert, you can advise them on the right firewall and advanced security technology to implement.
With the threat landscape growing and morphing all the time, protection is a top priority, especially with patients’ security and well being on the line.
To learn more about other cybersecurity precautions for healthcare organizations, contact Ingram Micro’s David McClary.