This is the final week and the theme is all about making security a priority, Cybersecurity First. For organizations, this means building security into products and processes. Make cybersecurity training a part of employee on boarding and equip staff with the tools they need to keep the organization safe. For individuals, keep cybersecurity at the forefront of your mind as you connect daily. Before purchasing a device or online product, do your research. When you set up a new device or app, consider your security and privacy settings and update default passwords. Cybersecurity should not be an afterthought.
Now let’s hear from our experts when it comes to “Cybersecurity First” in healthcare and healthcare organizations.
People are our best and most important investment in cybersecurity. Of course, we want to ensure that our IT and security staff are top notch, but we need to ensure that we’re adequately equipping everyone in the organization to act as a data defender. What is our culture like? How are we training our employees? Have we adequately demonstrated the tools that they have to help protect sensitive data? Do we understand our data sufficiently to help explain how our employees can impact its security? Do our employees know how and to whom they should report concerns about data security? These questions are exponentially more important as we move more and more towards a distributed and remote workforce. The investments in people and culture are just as important as the technical investment that we make in our infrastructure.
The COVID-19 pandemic was a catalyst for healthcare to accelerate the adoption of new technologies for omnichannel patient engagement, from telehealth services to sophisticated text-based patient engagement campaigns. This created a host of new challenges for cybersecurity leaders who needed to implement new technical security controls and processes across a rapidly evolving technology ecosystem that impacted patients more directly requiring a careful balance of ensuring the highest levels of security without negatively impacting usability. Cybersecurity professionals across the industry worked tirelessly to ensure that patients could stay connected to their trusted providers, and the lessons learned from supporting omnichannel patient engagement will be with us long after the pandemic.
Every day, we read in social media and see on the news about scary cyber-attacks against our schools, doctors, insurance companies, apps, etc. We must all be especially vigilant to protect ourselves and the companies we work for against cyber criminals, whose techniques are evolving every day. We should make sure that we take a minute of every day to consider what we can do better to be more aware of cyber threats in our lives. And, if a bad thing does happen, we should all get help immediately—and we should all know who to call!
To learn more about current HIPAA trends and hear Iliana speak, register for the Virtual HIPAA Privacy and Security Summit, co-hosted by Widener University Delaware Law School and First Healthcare Compliance. The event will be held on November 18, 2021 and will include CLE and CEU credits.
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Cybersecurity is important because it protects all categories of cyber asset from theft, damage, or operational shutdown. The most critical asset it protects for any organization is data – – all categories and classifications – – from theft, destruction, intentional and unintentional loss. In healthcare, that data represents the patient. The most important reason for accurate and timely data is better medical care. If access to data is slowed, or missing, it may delay diagnosis, care, and treatment. Time can be critical in medical emergencies and access to the right data at the right time is critical for the coordinated administration and management of care.
In 2020, 79% of all reported data breaches were in healthcare industry. Being connected means the inevitable risk of a cyber threat and putting cybersecurity first requires commitment across the entire organization – from the top down. From educating staff about identifying malicious emails to implementing the right tools and solutions to analyze, detect, respond and investigate events, healthcare organizations must prioritize safeguarding critical patient data from every possible angle. This includes compliance with critical standards and legislation such as HIPAA and GDPR. Cybersecurity is no longer the responsibility of solely the IT team – it’s now the obligation of every single employee within an organization and to be fully prepared, a business must think and act as such.
Many organizations struggle with creating urgency or prioritizing cyber initiatives. The overarching argument often points back to cost. In every industry, especially health related fields, this lack of investment has drastic consequences. We have recently seen the physical and digital worlds collide which also increases the impact that lack of priority can result in. A cyber incident can lead to the inability to deliver effective patient care and most recently, resulted in a patient’s death due to a lack of technology to facilitate critical care. By educating the organization and stakeholders as a whole on how technology impacts every aspect of operations, priority becomes more of a shared responsibility. Constant education and transparency with the goal to support and inform is most effective. This increased awareness results in global prioritization as it establishes cybersecurity squarely at the root of successful and continuous operations.
Securing patient data is paramount. Companies that handle patient records need to maintain a high level of security while enabling easy access to customers and their external applications. Access and security are diametrically opposed, so this is not a simple problem to optimize. However, one thing we’ve learned in security is that it takes one to know one. This means companies need to think like a hacker when securing systems by attempting to find vulnerabilities and hiring external researchers as well.
Security is a mindset, and something you need to actively cultivate; it’s not something you just set and forget. Every initiative in a healthcare organization should consider Cybersecurity, and the impact the initiative will have on data and trust-relationships. Organizations need to address security holistically, in 3 high-level areas: People, Process, and Policy and work with their people to ensure that they are well-trained on security best practices. It’s imperative to include industry recommendations for security into processes from the beginning to construct policies around those processes so that your organization can easily spot anomalies.
Hospital leadership has embraced the fact that we live in a constant cyber-threatening environment. For what it’s worth, some cyber criminals demonstrated a bit of ethics, claiming they would not attack hospitals. Yet the past proves that hospitals can be part of their collateral damage. Others are definitively targeting hospitals, with attacks on healthcare organizations in the past few months . How well they responded confirms that preparation is key, and can lower the risks and impact of a targeted attack. Keep in mind that hospital IT infrastructure and information systems are living things. They change all the time. Systems are decommissioned and new systems added, in order to keep pace with ever-changing business needs and technological evolutions. When doing so, it is important to have a ‘Cybersecurity First’ mindset. To keep the security procedures and systems ready to face an attack involving or targeting a new application, for instance, security teams must be involved as early as possible in the purchase and implementation planning phases of that application. This is paramount to determine the procedures, not only to protect a particular application and to monitor for suspicious activities, but also what can and cannot be done with this new application, should an attack occur, and determine with evidence what is the most efficient way to respond – before it is too late.
Cybersecurity needs to be baked into the operations and business continuity process for any enterprise – especially in healthcare, because lives are at stake. From digital record keeping to the devices that actually keep hearts beating, healthcare technologies are increasingly reliant on internet connectivity, which in-turn increases vulnerabilities into critical systems. Today the threat is far beyond protecting PII and HIPPA compliance when the cost of a breach could result in the loss of life. Thus, in this new era of connectivity, having a grasp of all of the moving parts is critical to reducing the attack surface available for malicious actors.
A “cybersecurity first” approach starts with knowing what kind of data I’m trying to protect. In healthcare, that’s primarily patient medical data, though there also is personal and financial information that must be secured. And there are specifically protected types of information such as behavioral health and HIV status that are even more sensitive than a person’s blood pressure.
The reason I’m protecting this data is because it has value. What does that mean? It means the data needs to be disclosed and shared to derive value from that information. It needs to be analyzed. It needs to be used to more efficiently manage inventory.
Once a data situation is clear, one has to start thinking about who should and shouldn’t be granted authorized access. Another important consideration is where will the organization need to use that information – in healthcare, at the point of care, in claims processing and billing – and to what entities must it be disclosed to enable patient care and facilitate payer responsibilities.
And yes, “cybersecurity first” has to include fostering a culture of security awareness across the organization through clearly communicated security policies and ongoing training or education for employees.
When healthcare contact center agents are working remotely as they have during the pandemic, it’s even more important to establish and clearly communicate security policies, operating procedures and actionable remote guidelines. IT leaders should educate their agents and supervisors on remote security best practices, using a learning management system to regularly refresh and assess their knowledge. Furthermore, they should establish clear policies related to the handling of patient and member information, and be vigilant about incoming data and the sources behind that data to confirm their authenticity, in order to avoid compromising network security.
All we have to do is look at our news feeds. Every day we read about new cyber security attacks and the serious, sometimes terminal, damage they can inflict upon an organization. We all know that security must be priority, but what does it really mean to have a ‘Cybersecurity First’ mindset? Security breaches can happen in multiple ways and from multiple vectors. To fully safeguard against security threats, an organization has to instill awareness at every level. IT teams must take a critical look at the systems and processes they have in place. How could they be improved? Leaders must plan and budget for proper maintenance, patching, tools, and staffing. Software developers need to write code with robust input and connection validation. Most of all, security teams have to work constantly to give every member in an organization the training and tools they need to recognize, avoid, and report potential threats. ‘Cybersecurity First’ requires that we are all aware and responsible for security throughout our day-to-day jobs.
As a cloud technology provider of a customer conversations management platform, we are often asked about cloud security and data protection. It is important to choose trusted and tested cloud software providers that will partner with you to protect your healthcare systems and your members’ personally identifiable and protected health information. Companies that deploy via AWS or Azure can take advantage of network and application firewalls as well as encryption in transit across all services and connectivity options that enable private or dedicated connections. As part of the information gathering process, also ask vendors about their security and compliance certifications, such as ISO 27001, SOC 1 & SOC 2, PCI DDS, IRAP and HIPAA.