Cybersecurity and the Healthcare Industry Part 3 Treatment
The seemingly infinite number of cybersecurity risks that threaten healthcare organizations have begun to feel like a real-world virus, rapidly evolving and spreading throughout the industry with no end in sight. Thankfully, a treatment is available that can help remedy and reduce the impact of incessant cyberattacks. Similar to the approach used to combat the most formidable of medical maladies, treatment to enhance cybersecurity requires many diverse remedies to help an organization get closer to a collective cure.
While prescribing a list of specific treatments would depend on an organization’s unique environment, the following steps that form the acronym “CARES” are universal and will help keep your organization’s cyber defenses off of life support.
Whether it’s HIPAA Privacy and Security Rules, PCI DSS requirements (if you accept payment cards), or the ever-growing number of state data security and privacy regulations, compliance is critically important. It’s imperative that a resource is assigned to keep abreast of and address the various laws and regulations that face every healthcare organization. Depending on the size and data collection processes of an organization, this resource can range from someone who dedicates a few hours per month to this function to a full-time internal or outsourced specialist. And despite the fact that this resource will cost time and money, the alternative to meeting compliance requirements can be significantly more expensive, including fines, penalties, downtime, and severe reputational damage.
One of the most effective and inexpensive methods of combating threats is to have staff that have been trained to detect and avoid cyberattacks. Considering that our email inboxes have become a veritable minefield of potential spear phishing attacks and malware-infected attachments, having employees that are vigilant can drastically reduce the efficacy of this attack vector. Establishing security policies and providing regular security awareness training, simulated phishing tests, and periodic refresher emails can transform users from a high-risk area of concern to a virtual human firewall.
Considering the sheer number of cyberattacks that are happening throughout the healthcare industry, an organization should consider a mindset of “when a breach occurs” instead of “if a breach occurs.” By proactively preparing for the worst-case scenario, the fallout from an attack can be minimized and response and recovery times can be significantly streamlined. Key steps that will help fortify resilience include establishing reliable backup procedures and developing plans for business continuity, disaster recovery, and incident response. For both backups and planning, periodic testing is crucial to ensuring a rapid restoration of operations.
Whether it be sensitive data at rest on servers and mobile devices, or protected health information being sent via email, encryption is key and may be one of the closest things an organization has to a silver bullet. Many regulations do not consider lost encrypted data as a data breach. For example, according to the HIPAA Breach Notification Rule (45 CFR § 164.404(a)), only “unsecured protected health information” constitutes a breach. While the expense of purchasing an encryption solution may appear cost prohibitive, many operating systems including Windows 10 Pro already come equipped with an integrated encryption solution such as Bitlocker.
Implementing key security controls and procedures is essential to establishing a secure environment. Examples of security controls and procedures include endpoint protection, regular access reviews, firewall and intrusion detection systems, penetration tests, physical defenses, event log reviews, multifactor authentication, and patch management. Having these key security measures are essential to a successful and sustainable cybersecurity strategy.
To help your cybersecurity defenses receive a clean bill of health, consider setting up a meeting to discuss how Citrin Cooperman can help protect your business. To get started, please contact Kevin Ricci at firstname.lastname@example.org or Michael Camacho at email@example.com.