Keeping a low profile is no longer an option. Cyber criminals have quickly come to realize that large hospital systems are not the only viable targets in healthcare. Any organization managing electronic health records (EHR) faces risk. Notably this includes clinics and health practices that in the past may have escaped attention due to their size. Every organization needs to take steps not only to prevent ransomware, but to ensure that they can quickly resume operations if an attack occurs.
Make sure every employee understands what’s at stake. Just about all healthcare settings are connected today thanks to advancements in IoT. From medical devices to EHR, and increasingly, most employees – regardless of their role – have access to computers. Hospitals should give training to any individual who can access a connected device training on how to recognize and avoid phishing attacks. Employees should understand the full ramifications of a ransomware attack and malware. Health Insurance Portability and Accountability Act (HIPAA) investigations will follow and in healthcare settings, organizations be driven out of business or forced to cease operations, but physical harm can come to patients and there’s great potential for loss of life.
Treat phishing simulation programs as more than an IT or even a security issue. The ramifications of a data breach extend far beyond the confines of the IT department or the office of the chief security officer. Given the obvious impact of ceasing operations and not being able to provide care, healthcare organizations should approach security with a united front. Champion IT security planning and training by a collaborative team that includes IT and representatives from administration and operations, clinical staff, legal, human resources, and facilities – including physical security.
Customize phishing simulation programs. Not only should hospitals, clinics, and practices continually train and benchmark employee responses to simulated phishing attacks, but also make these tests realistic. Simulated attacks should mimic the kinds of messages that staff members might consider normal without close inspection – insurance claims and requests for records – but also appear to come from individuals in the organization and even local establishments. Think like a hacker who might mimic the CEO or a restaurant that staff members order from during busy shifts. If the organization uses =a third party to conduct phishing simulations, make sure they offer this level of customization.
Consider preventing ransomware and phishing attacks as just one facet of a comprehensive security stance. HIPAA mandates many requirements for encryption and access to data and the networks on which it resides. Don’t stop there. Consider a zero-trust approach to network access and invest in tools and systems or find a HITRUST certified third-party hosting provider that can make the organization a tougher target. The idea that organizations can’t fight what they can’t see is valid. Invest in network monitoring technology that not only detects suspicious activity, but automatically alerts decision makers. In addition, deploy endpoint detection and response (EDR) and security information and event management (SIEM) solutions that alert IT of issues and quickly quarantine infected workstations, servers or other IT assets. And remember, there are third-party providers that can do some or all of these things to help ensure you are creating a secure IT environment.
Make sure the organization has the systems in place needed to quickly resume operations. Even the smallest clinic or practice should have proven disaster recovery and backup systems in operation. Health care organizations should also embrace a HIPAA-compliant cloud offering. Today’s cloud solutions not only make it possible to take “snapshots” of the entire dataset with unprecedented frequency – but can help healthcare organizations quickly address the dramatic increases in data volume created by advancements in radiology and other innovations.
Ponemon Institute research reaffirms that cyberattacks have a direct impact on patient safety risks and mortality, which was exacerbated by COVID-19 and ongoing risk management with third-party vendors.