The number one cybersecurity issue for most healthcare organizations is compliance with the HIPAA Security Rule. The Department of Health and Human Services (HHS) has extensive guidance, but the key points are that you must:
HIPPA doesn’t specify the particular security measures you use, simply that they must be sufficient. This will include “administrative, technical and physical” measures that are “reasonable and appropriate” for your situation.
The first step for identifying if you need to improve your security to comply with HIPAA is by using two official tools. The National Institute of Standards and Technology (NIST) published a toolkit that uses a survey approach to highlight areas where you may be failing, but it’s important to note that while it is no longer officially supported or updated.
You can also use HHS’s “Security Risk Assessment Tool,” which is aimed particularly at small and medium health organizations.
To build on this, you should also consider getting help from a specialist security consultant. They can help you better comply with HIPAA and identify and address wider cybersecurity threats.
While healthcare is subject to many of the threats that face any business or organization, some cybersecurity issues are particularly prominent in the sector.
Unfortunately, healthcare has become a prime target for ransomware scanners. Sophos reported the proportion of organizations hit by at least one attack rose from 34 percent in 2020 to 66 percent in 2022. That’s a bigger rise than any other sector.
You can understand the appeal to attackers. Healthcare is particularly reliant on data, especially regarding patients. The consequences of being unable to access data can be far more serious than simply losing money. That creates a significant motivation to pay a ransom to regain access. Rightly or wrongly, attackers may also believe healthcare groups have the funding to pay ransoms now and worry about the cost later.
To make things worse, healthcare is particularly vulnerable to what you might call “Ransomware 2.0”. A small but growing proportion of attacks are no longer simply about charging a ransom to restore access. Instead, they involve a threat to expose data, something that would have major privacy implications in healthcare.
Protecting against ransomware isn’t simply a case of increasing security and keeping systems updated. Healthcare organizations can’t afford to wait it out after ransomware scammers lock up data. Instead, preparing for a successful attack is as important as trying to prevent it. That means developing backup systems that let you rapidly restore data and get back to work. This requires planning and testing both the systems and the logistics of using them.
Internet-connected devices have the power to revolutionize healthcare but they also prevent a new point of attack. At best, inadequate security could expose confidential monitoring data and cause HIPAA problems. At worst, an attack could take devices offline, severely impacting healthcare itself.
The sheer scale of healthcare organizations means that simply relying on keeping devices updated with security fixes is not enough. Instead, IT managers need to have a clear and comprehensive understanding of what devices are on a system and how they are connected. The age-old battle between security and convenience still plays out. A zero-trust approach that blocks all access by default is often the only acceptable approach to risk tolerance.
If you opt for outside help to secure IoT healthcare devices, remember that technical knowledge is not enough. You also need to use a consultant with practical experience in how devices work and interconnect in a real healthcare environment.
It’s all too easy to concentrate on hardware and software with security, overlooking the human factor. Census and Bureau of Labor Statistics figure consistently show healthcare as the business sector with the most workers. Every one of them could be a route into your systems for cybercriminals. Whether it’s the medical front line or the administration backbone, many healthcare employees have extremely busy, often stressful work days. That can make them particularly vulnerable to phishing attacks and other malware distribution.
Tackling this risk requires a two-pronged approach. First, you need networks with rock-solid access controls. Everyone needs to be able to quickly access the data and tools they need: nobody in healthcare has time to wait about for an access request to be granted. However, nobody should be able to access data or systems that aren’t strictly necessary for their role. Once again, logistics is as important as the underlying technology.
Second, you must keep staff educated and alert to phishing threats. A 2021 survey found a phishing attack was the most significant breach in the past 12 months for almost half of healthcare cybersecurity professionals. In 21 percent of cases, the breach impacted clinical care.
While training is part of the solution, it doesn’t offer certainty that the message has gotten through. That’s why many organizations will test their staff with bogus emails to see how many open them, click on links, and input login and other details.
“Standard” cybersecurity measures are necessary but not sufficient for the healthcare sector. Security breaches not only have financial implications but could potentially impact patient outcomes.
The sector is particularly vulnerable to ransomware attacks (including those which threaten to expose data). Meanwhile, internet-connected devices and a huge, hard-working employee base are also potential targets.
Improving healthcare cybersecurity requires a holistic approach that doesn’t simply rely on technology. Dealing with logistics including access, backup and restoration, and staff cyber-skills, are all necessary tools in the healthcare security arsenal.
It may seem like a daunting task, but it is possible. Contact Meriplex today to find out more about how we can help.
https://meriplex.com/wp-content/uploads/2023/02/What-is-managed-SD-WAN.jpg
1333
2000
Greg Allen
/wp-content/uploads/2021/10/Meriplex-Logo-Full-Color.png
Greg Allen2023-03-20 18:52:062023-02-20 18:53:18What is Managed SD-WAN?
https://meriplex.com/wp-content/uploads/2023/02/Oil-and-Gas-MSSP.jpeg
1500
2000
Greg Allen
/wp-content/uploads/2021/10/Meriplex-Logo-Full-Color.png
Greg Allen2023-03-17 10:04:002023-02-07 22:07:49Managed Security Services for the Oil and Gas Industries
https://meriplex.com/wp-content/uploads/2023/02/Manufacturing-MSSP.jpeg
1125
2000
Greg Allen
/wp-content/uploads/2021/10/Meriplex-Logo-Full-Color.png
Greg Allen2023-03-15 09:30:002023-02-07 23:25:03Benefits of Managed Security Services for the Manufacturing Industry
