Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker. Cyber resilience is a term growing in popularity to describe an organization’s ability to defend against the cybercriminals who have run rampant as a direct result of the loosened protections and chaos created by COVID. 5 steps to change the way healthcare cybersecurity is approached as a whole to strengthen enterprise-wide security through actionable strategies are discussed. You can accomplish cyber resilience by focusing on your abilities to detect, respond, and react to what happens during a security attack.
Vulnerabilities
Even the best systems will have weak points. Cyber security has been a serious issue with the Internet since its inception. Now that COVID has forced existing precautions to be set aside to serve those in need during the pandemic, vulnerabilities have increased dramatically. In short, hackers have had a field day amidst the lowered enforcement of previous standards, the lack of technical knowledge of the millions of healthcare professionals who now work online daily, and the chaos in government systems as they try to right themselves around the world. A report released in 2021 exposed vulnerability when 560 healthcare facilities in the United States fell victim to 80 separate ransomware attacks (a single attack on the healthcare system may impact multiple facilities). The Identity Breach Report, published in 2021 by Constella Intelligence, discovered a 51% increase in breaches/leakages compared to 2019. The likelihood that you or your organization will suffer a security breach sometime in the future is high. It would be wise to prepare for it now, this week, this month.
Safeguards
Healthcare cybersecurity should be considered a needed investment. A recent report conducted by CyberMDX discovered that healthcare cybersecurity is not a high priority for more than 60% of hospitals, and most are unprotected against common vulnerabilities. With the billions of dollars spent on information systems in the US alone, it is only reasonable to consider how to protect that investment long-term. CyberMDX, in partnership with Philips, discovered large hospitals reported an average shutdown time of 6.2 hours at the cost of $21,500 per hour, while midsize hospitals averaged nearly 10 hours at more than double the cost of $45,700 per hour. Furthermore, 64% of those surveyed believed their hospital was unprotected.
Immediate Steps Toward Increased Security
Everyone likes convenience with little cost, workflow disruption, or downtime. However, failing to put adequate resources in play now will more than likely result in much more unpleasant consequences. Aside from conducting system-wide checks, small things that can be accomplished throughout your workday will lead to significantly increased security after a month or two. For example, consider opting for multi-factor authentication wherever you can, starting today. It will require you and your staff to take an extra step to log in every time, but it will also provide another blanket of security that may very well save time and trouble later.
Even if providers take extra precautions to secure the devices they use for remote healthcare, lost or stolen devices are still a risk. If the data on the provider’s hard drive is not completely protected, then sensitive client information could be breached. Encryption strategies, like Apple’s FileVault, can ensure your organization’s cyber resilience.
The Internet can be used for good or bad – it is inanimate. Much like a hammer, it is a tool that can be used to build or destroy. Cyber Resilience can be achieved by organizations giving providers managed devices with safeguards installed, such as virtual private networks (VPNs), multi-factor authentication, or zero-trust network access (ZTNA). Managed devices can also be programmed to block the use of certain apps and functionality. As healthcare professionals, we are duty-bound to protect those who rely on us for protecting them and their records. That same principle applies to professionals who work in organizations and carry the duty to work for and not against the organization.
Vendors
How thorough are you when reviewing agreements made with vendors? Do you assume they have your best interest at heart and sign their agreements without looking at whether or not they contain detailed assurances for data storage, protection, or access? Who works for these companies? If they employ foreign workers, how do they screen them? Will they have access to your patient’s data? Will they have access to your professional data, such as email addresses, street addresses, license numbers, social security numbers, and other sensitive information about you? Be cautious and ask difficult questions. You are only as strong as your weakest link when it comes to vendors. A survey by security professionals revealed 82% of those surveyed recognized third parties put their organization at risk. Only half of those individuals said their organizations prioritize those risks.
Educate Yourself
Although healthcare cybersecurity will be an issue as long as hackers exist, adhering to cyber resilience policies within your organization will protect against vulnerabilities. There are many groups publishing step-by-step guides to ensure healthcare organizations across the nation adhere to the same security standards. The National Institute of Standards and Technology (NIST) Cybersecurity Framework constantly updates its material to align with the current threats. Make it a habit to read at least one of these per month or assign it to someone else in your organization.
We are well into the 21st Century. Technology is evolving faster than most healthcare professionals realize. If we don’t educate ourselves about how to protect those we serve and ourselves, who will? Cyber resilience is easier said than done. By maintaining strong security safeguards, keeping strategic plans in place, and understanding that when and not if a threat will take place, you can be better prepared.
See TBHI’s previous articles on related topics:
- NIST Cybersecurity Guidance Update for Clinical HIPAA Cybersecurity
- Cybersecurity Alert Ransomware Activity in Public Health Sector Leads to Warning by FBI, HHS & CISA
- Healthcare Cybersecurity, Ransomware Threats on the Rise
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
