By John Briar, founder, BotRx.
We tend to have a negative view of risk, regarding it as a danger to the business. But, it also presents opportunities to push boundaries. If we reframe risk as a change-maker, then what degree of risk is acceptable? The healthcare industry faces this conundrum at every turn. Whether testing a toxic chemotherapy drug that could be lifesaving, or adopting IoT devices that provide detailed analytics, these advances can all expand the threat landscape.
Unlike testing pharmaceuticals in a controlled lab setting, the world of cyber and its risks are in constant flux. Healthcare data is at the top of cybercriminals’ lists, contributing to a record amount of breached health records in the past year. Full patient medical records are a valuable commodity on the dark web and?sell for up to $1,000?each.
Now, healthcare organizations can’t stay stagnant in implementing protections.
The reality of highly-regulated industries is that compliance mandates tend to govern security operations. But where regulations are cut and dry, risks do not fit neatly into boxes of “high risk” and “low risk.” Instead, risk is on a spectrum that requires a holistic cybersecurity strategy to appropriately prioritize and mitigate risk according to what is deemed as acceptable.
To help healthcare organizations mature security policies and become more comfortable with risk, here are three recommendations for 2020 cybersecurity planning:
- Make Sure Your Organization Has Its Security Cornerstone
We live in an era where a patient’s digital and physical presence are now bridged. While complete data protection is never guaranteed, it doesn’t mean a “cyber care plan” shouldn’t be developed. Every healthcare organization needs a cybersecurity policy that defines how to avoid, mitigate, and accept cybersecurity risks.
Serving as the cornerstone to information security programs, policies can vary from homegrown, to directed by security standards published by the National Institute for Standards and Technology or the International Organization for Standardization.
Consider including information on compliance, infrastructure, and employees. This includes detailing:
- What controls will be in place? (antivirus, firewalls, bot detection and mitigation, malware protection, etc.)
- Who is responsible for enforcing and updating the policy?
- Who responds to and resolves security incidents, and how?
- What are the best practices?
- Make Sure Your Insight Is 20/20
In 2020, seeing clearly won’t just be a marketing stunt for ophthalmologists. For healthcare organizations, visibility is an integral part of identifying risks and finding ways to reduce it. According to a 2019 Cybersecurity and Threat Preparedness report from Avertium, 65 percent of respondents felt their jobs had been made much more difficult because of the vulnerabilities introduced by their company’s digital transformation.
As digital healthcare records, virtual doctor visits, and IoT medical devices become ubiquitous, there must be visibility from endpoint to ecosystem on where vulnerabilities are and can propagate.
Unseen or hidden vulnerabilities and threats can include:
- Unauthorized access by criminals, internal threat actors, or bots
- Outdated information security controls
- Unaccounted for endpoints
- Accelerating volume of alerts
The good news is that there are many tools and technologies that allow you to have full visibility into where you may be vulnerable. It doesn’t always have to be a complicated and expensive protection suite. You can even start by looking through plugins offered through your content management system to protect your website and patient portals.
- Speak the Same Language
As 2019 draws to an end, healthcare IT leaders must rally everyone around the idea that cyber risk isn’t really cyber risk. It’s risk to the organization, patient safety, and end losses (financial, reputational, operational, etc.). If a fraudster is able to execute a social engineering scheme and exfiltrate sensitive data, the malware isn’t the real problem.
Staff-wide cybersecurity awareness initiatives in basic language that details the losses that follow—and what to do to prevent it from happening again should be a goal for every healthcare organizations. Even technologists should adopt this mindset. Cybersecurity is not a silo within the IT department, or a task for “someone else.” Every single person plays a critical role in assessing and mitigating risk.
Take Risk, But Do It Safely
The healthcare industry has a brand new year ahead, full of possibilities. Don’t shy away from adopting new technologies that allow for better patient care, just remember to do it with cybersecurity in mind.