BEST PRACTICES FOR CYBER SECURITY DEFENSES
We have examined the regulatory landscape for healthcare firms, and both the trends and risks that drive cyber security threats in the industry. What should healthcare organizations be doing to strengthen cyber security defenses, particularly in light of the fact that healthcare is the only industry in which employees are the primary threat vector for data breaches[i]? Here are the best practices.
Take the risks seriously
There is sufficient evidence across the healthcare industry that cyber threats including ransomware are a present and growing problem. Healthcare decision makers will need support from the C-suite and board of directors to elevate the importance of erecting appropriate defenses, and securing the appropriate budget and headcount. The vast majority of health IT decision-makers say security is rarely talked about at board meetings, which in light of its potential devastating effects, is a reality that needs to change. Senior executives play a vital role in setting the tone and culture of security mindedness within a firm; enhanced cyber security cannot be just an IT-initiative led by the IT team.
Build cyber threat awareness
Your organization faces generalized and specific cyber threats: generalized threats include ransomware, malware, and data breaches, and specific intensities of those threats due to the nature of the healthcare industry and its systems.
Develop a cyber security strategy for your organization
Do the internal research to identify the specific threats faced at your organization, including a complete audit of current security tools, training programs, and security practices. This needs to be a comprehensive and enterprise-wide assessment, not a piecemeal approach. Elements include identifying specific risks, such as computers still running Windows XP, medical devices with unpatched operating systems, and printers in locations that non-authorized people could access. Assess the effectiveness of training programs, pulling data on metrics such as key offenders, repeat offenders, and the types of attacks that are consistently being successful despite training efforts. If outdated or vulnerable medical devices are of particular concern, work with the original vendor to develop solutions to the problem. When evaluating current and potential IT security vendors, look for those who are innovating at the rate of current threats, not those stuck in neutral. If your organization lacks the cyber security skills in-house to execute such a strategy, engage a specialist external consultancy to lead the effort.
Establish thorough and detailed policies
Translate your cyber security strategy into an appropriate number of thorough and detailed policies. These should include the communication and collaboration systems which are appropriately protected and secured for use (and those which are not), security tools that must be used (for perimeter, endpoint, and data protection), security practices that must be followed (such as keeping systems up-to-date), and acceptable and unacceptable use of corporate resources and personal devices connecting to the healthcare network. If healthcare professionals are permitted to use their own devices for enterprise purposes, what protections are necessary to ensure security of patient data, mitigate against lost or stolen devices, and protect the network from compromised devices or apps?
Enable encryption at every point
Encryption should be enabled for all sensitive or confidential data that is in-transit, in-use and at rest. Moreover, software and storage purchases should be made only if they support robust encryption capabilities. Where legacy applications and storage are not going to be replaced in the near future, third party encryption solutions should be implemented to manage this critical function.
Use threat intelligence to stay secure
With new threats constantly being released to market, use threat intelligence to highlight unexpected application, data and user behaviors, and move rapidly to isolate and contain questionable activities. Seeding your network with fake patient data can give early warning of the presence of malicious users or advanced persistent threats, and user behavior modeling more generally can trigger alerts of employees starting to exhibit rogue behavior.
Test your ability to recover from a cyber attack
If your stated organizational policy is to never pay a ransom when infected with ransomware, you must fully test on an ongoing basis your ability to isolate an attack and recover from its effects. Invest in preparedness, such as multiple rotating backups, business continuity plans, and keeping systems patched to minimize the attack surface. But these must be tested, because finding out after an attack that a key element was missing is not good.
Invest in cyber security awareness training
Written policies and clear approaches for avoiding cyber attacks are necessary, but these have to become part of everyday healthcare practice. Security awareness training offers a structured approach for educating the workforce on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in the case of an active exploit. Such training must be offered to all users and senior executives, since all are at risk. When training senior executives, ensure there is a section on identifying and responding to CEO Fraud, because this is key threat given their visible position within the organization. All users and executives will need repeated training episodes to stay current with the threat landscape, and new hires will require training during onboarding too. Since both HIPAA and the security policies of NHS England require ongoing security awareness training, it's clearly a best practice whose value has been widely recognized.
The survey conducted for this white paper found that 44 percent of the organizations surveyed train employees on security awareness no more than once per year.
Govern user behavior for tools, devices, and repositories
Healthcare professionals should be following best practice guidance when using corporate-issued tools, devices, and data repositories, and especially so when using personally managed devices for accessing the same. Best practices include enforcing security updates before giving access, having the ability to remotely wipe lost or stolen devices, and limiting access to personal and sensitive data in corporate repositories. Connecting to public Wi-Fi networks is another common vector for attack, so either ensure appropriate protections are in place to mitigate the threat, or provide alternative ways of getting network access when out-and-about.
Tighten password policies and account access
With users often being the weak link in the chain, tighten password policies and account access to minimize the threat surface. Best practices include limiting access to only essential data resources, rather than giving people wide access to as much data as possible. Other best practices include active auditing of file access (to identify patterns of wrongdoing or questionable behavior), the ability to quickly revoke access to all healthcare systems when terminating an employee, single sign-on across all applications (for uniquely identifying access behaviors), and special controls for privileged accounts (such as top-level IT accounts required for system administration).
Have the right cyber security defenses
Strategies, policies, training, and preparedness are essential aspects of building cyber security defenses, but these human structures rely on having the right cyber security technologies in place. Healthcare organizations need advanced tools for blocking and identifying phishing attempts, blocking malware from entering the network via email and drive-by-downloads, and anti-ransomware capabilities for identifying abnormal application behaviors before they can take root on a device or across the network. Backups of core data are essential, application whitelisting is a good idea (although it is a big project), next-generation firewalls provide much deeper analysis and remediation of active threats, and endpoint security technologies keep a whole manner of devices safe from exploit. Last, but certainly not least, is the necessity of robust perimeter defenses that will block many of the threats that virtually all healthcare organizations encounter on a daily basis.