Five Steps to Developing a Healthcare Information Technology Security Plan
Security breaches have become common place. Daily, we hear cybersecurity breach reports in the media. However, when healthcare institutions are impacted, consumers see this as “more detrimental” than other industry breaches.
Healthcare continued to be a lucrative target for hackers in 2017 with ransomware, cloud storage mishaps, and phishing emails dominating the year. In 2018, these threats will continue, and cyber criminals will likely get more “crafty” and “creative”.
Within the past two years, 94 percent of healthcare organizations have had at least one cybersecurity hack. CIOs must work cross-functionally throughout the organization to educate and partner with departments to help them understand the impact of a breach and the importance of establishing a systematically strong security posture.
Ransomware and Cybersecurity
It’s a fact that ransomware is dominating the cybersecurity landscape, particularly in the healthcare industry. An organization is hit with ransomware every 40 seconds, up from every two minutes in 2017. New tactics, new variants and more sophisticated cyber criminals are resulting in an increase in these attacks, not just against individuals, but against businesses.
Small companies, medium-sized businesses and large enterprises across industries are under attack. When it comes to ransomware, company size or industry is not a factor. Cyber criminals don’t discriminate. While some industries continue to be bigger targets than others, data shows that no sector is immune to ransomware attacks. Healthcare organizations however, continue to be high-profile.
How do healthcare organizations protect against ransomware attacks? It starts with a systematic approach to IT security and a commitment to establishing a strong security posture.
A Systematic Approach
Think about your institution’s approach to security. Is it systematic and consistent? Are disaster recovery measures in place? Is your security posture strong? Are there procedures and processes in place to proactively secure IT environments?
Without an ongoing systematic approach to IT security, a strong security posture to protect patient data, is in jeopardy. Below, I break down five steps to developing an effective IT security plan.
- Run Risk Assessments. Before developing an effective security plan, an initial risk assessment must be conducted to determine assets, systems or devices that require protection. Once the assets have been identified a risk target level can be assigned. Cyber criminals change and adapt quickly. Healthcare institutions must keep pace to remain secure.
- Establish a Security Culture. Security checklists and plans alone are not enough to develop a strong security posture. It is incumbent on any organization where lives and critical patient data are at stake, to support proper information security by establishing a culture of security. Every person in the organization must subscribe to a shared vision of data security so that best practices are automatic. It must start with executive support and buy-in. Protecting patients through good information security practices should be second nature to healthcare organizations.
- Review IT Security Policies and Procedures. Keeping up with IT security trends and threats can be difficult. But, IT security policies must match the current “threat level” and the craftiness of cybercriminals to proactively defend organizations from cyberattacks. Policies must include measures to protect data and it is imperative that they include measures to control access to patient information to minimize risk to electronic healthcare records. Role-based access should be established.
- Educate Employees About Security Best Practices. No longer are the days of cutting IT security budgets viable. CIOs must allocate budget to employee training and awareness programs and systems to properly secure environments, particularly when lives are at stake. Hackers will look for the weakest link in security plans — and its employees. If employees are unaware of how to recognize and avoid security threats, they can be a weak link in a chain of defense. For example, hackers will prey on employees by sending phishing emails that appear to be official and expose organizations to malicious code and ransomware.
- Include a Disaster Recovery Plan in the Overall Security Plan. With the increase in security breaches, IT departments must assume that security breaches and cyberattacks will occur. While healthcare institutions need a strategy to prevent breaches, a comprehensive disaster recovery plan is necessary, in the event of a breach, to minimize unscheduled downtime, rapidly recover data and more. Incorporating both elements in one cohesive IT security plan is becoming increasingly crucial.
The healthcare industry continues to be a prime target for information theft as it lags other industries in securing critical data and medical information which has the greatest value to hackers. It is imperative for healthcare providers to invest time and funding into maintaining and ensuring the protection of healthcare technologies and the confidentiality of patient information from unauthorized access.
Proactive security in healthcare is therefore, a must! It means predicting threats that your institution might face and arming yourself ahead of time. Healthcare providers must take an “offensive” posture to protecting patient data from security breaches by developing and adhering to a comprehensive plan.
Gone are the days of lack of strategy and reactive or defensive security postures. If your organization does not have the IT resources to develop and implement a security plan, I recommend a Managed Security Services Provider who can tailor a program to meet your company’s needs, level of risk and culture.