Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.
Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]
All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.
- Does our organization use a security framework?
- The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
- The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
- What are the top risks I should worry about?
- Human interaction: Over 80 percent of attacks are made possible by human error or human involvement, such as downloading malicious files, clicking on malicious links, or running unknown USB on computer systems. You need to provide security training for all employees and maintain constant employee awareness of the risks. There should also be a significant investment in security solutions that can help prevent damage if an employee action leads to an attack.
- Technology vulnerabilities: Vulnerabilities in your defenses may be known—or newly discovered when an attack happens. Invest in tools that scan for hardware and software vulnerabilities and invest in IT staff to constantly update and patch software.
- External intruders: Addressing non-stop attempts to access your network through unsecured or vulnerable access points involves investing in technologies and strategies like multi-factor authentication, advanced firewalls, web application firewalls, external monitoring, and penetration tests.
- Data loss: Protected health information (PHI) could be lost through an unapproved employee data transfer. Invest in tools that encrypt data-in-transit and educate employees on proper data transfer procedures.
- Delayed detection: This is the inability to detect an intrusion due to an unknown vulnerability, misconfigured technology, or employee error. Invest in constant IT training on event management, security threat detection, incident response, and technology configuration. Execute threat simulations (penetration tests) and do a continual review of system configurations.
- Attacks through privileged accounts: Hackers try to gain access to privileged accounts—such as domain admin, database admin, or external vendors—to reach secure areas within computer networks. For example, the major Target hack occurred when an employee of Target’s third-party HVAC vendor responded to a spear phishing e-mail. The utilization of Privileged Account Management systems enables one-use passwords for evaluated accounts.
- How are employees made aware of their role in cybersecurity?
- Perform annual phishing tests for your employees, discuss the importance of cybersecurity at annual meetings, maintain awareness throughout the year through notifications from IT and executives, and consider creating cybersecurity awareness training videos or presentations.
- Are external and internal threats considered when planning cybersecurity activities?
- Sources include hackers, foreign countries, automated systems, vendors, visitors, and employees. Threats range from malware, phishing, zero-day attacks, denial-of-service attacks, natural disasters, and internal attacks.
- How is security governance managed?
- Enterprise security governance is a company’s strategy for reducing the risk of unauthorized access to information technology systems and data. Enterprise security governance activities involve the development, institutionalization, assessment, and improvement of an organization’s enterprise risk management (ERM) and security policies. Enterprise security governance activities should be consistent with the organization’s compliance requirements, culture, and management policies. The development and sustainment of enterprise security governance often involves conducting threat, vulnerability, and risk analysis tests that are specific to the company’s industry.
- If a serious breach occurred, does management have a robust response protocol?
- Handling a breach requires two response teams and plans. These should be put in place in advance for potential adverse events within IT systems and/or networks.
- The IT Incident Response Program includes a key number of IT staff that are responsible for developing the program, promoting awareness throughout the organization, defining and classifying incidents, determining tools and technologies to locate incidents, determining if an incident should be investigated, securing the network if an event occurs, and working with the Data Breach Response Team.
- The Data Breach Response Team, working with the Incident Response Team, are responsible for their breach program, identifying key department members and outside counsel to help with the response; knowing what regulations, statutes, and contracts cover a post-breach response; and understanding who to call in law enforcement, insurance carrier, and regulators.
[i]Fact sheet: ransomware and HIPAA. U.S. Department of Health and Human Services. http://www.hhs.gov/sites/default/files/RansomwareFactSheet.pdf. Accessed July 21, 2016.