Top Six Questions You Should Ask Your IT Department About Cybersecurity

Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.

Craig Musgrave
Craig Musgrave

Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]

All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.

  1. Does our organization use a security framework?
    • The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
    • The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
  2. What are the top risks I should worry about?

  1. How are employees made aware of their role in cybersecurity?
    • Perform annual phishing tests for your employees, discuss the importance of cybersecurity at annual meetings, maintain awareness throughout the year through notifications from IT and executives, and consider creating cybersecurity awareness training videos or presentations.
  2. Are external and internal threats considered when planning cybersecurity activities?
    • Sources include hackers, foreign countries, automated systems, vendors, visitors, and employees. Threats range from malware, phishing, zero-day attacks, denial-of-service attacks, natural disasters, and internal attacks.
  3. How is security governance managed?
    • Enterprise security governance is a company’s strategy for reducing the risk of unauthorized access to information technology systems and data. Enterprise security governance activities involve the development, institutionalization, assessment, and improvement of an organization’s enterprise risk management (ERM) and security policies. Enterprise security governance activities should be consistent with the organization’s compliance requirements, culture, and management policies. The development and sustainment of enterprise security governance often involves conducting threat, vulnerability, and risk analysis tests that are specific to the company’s industry.
  4. If a serious breach occurred, does management have a robust response protocol?
    • Handling a breach requires two response teams and plans. These should be put in place in advance for potential adverse events within IT systems and/or networks.
    • The IT Incident Response Program includes a key number of IT staff that are responsible for developing the program, promoting awareness throughout the organization, defining and classifying incidents, determining tools and technologies to locate incidents, determining if an incident should be investigated, securing the network if an event occurs, and working with the Data Breach Response Team.
    • The Data Breach Response Team, working with the Incident Response Team, are responsible for their breach program, identifying key department members and outside counsel to help with the response; knowing what regulations, statutes, and contracts cover a post-breach response; and understanding who to call in law enforcement, insurance carrier, and regulators.

[i]Fact sheet: ransomware and HIPAA. U.S. Department of Health and Human Services. Accessed July 21, 2016.


Write a Comment

Your email address will not be published. Required fields are marked *