How is Your Organization Addressing Cyber Hygiene?

October is Cybersecurity Awareness Month

The National Cyber Security Alliance and the Cybersecurity and Infrastructure Security Agency invite you to celebrate Cybersecurity Awareness Month 2022 this October as we raise awareness about the importance of cybersecurity and ensure that all individuals and organizations have the information and tools they need to be safer and more secure online. “Do Your Part. #BeCyberSmart.”

Cybersecurity Awareness Month was created by the Department of Homeland Security and the National Cyber Security Alliance in October of 2004. It was launched in an effort to help Americans to be safe in the rapidly growing Internet. Since its inception, the month has only grown more important as our lives become increasingly digitized. We are only one of many industry participants who are taking this month to educate our community on the importance of cybersecurity.

As always, follow our posts this month and hear what the healthcare security experts have to say. This week they are coming clean on the topic of cyber hygiene.

Lee Barrett, Executive Director and CEO, EHNAC
Twitter: @EHNAC

Having a strong cyber hygiene plan and commitment within an organization is critical. Healthcare staffs must exhibit the awareness and “rigor” necessary to address the question of “what do we do when we have a cyber-attack?” while ensuring they have a tested and proven contingency plan that can be implemented. The absolute key to mitigating the impact of a cyber attack is to ensure that your contingency plan is documented, all key parties know their roles, and that the plan has been drilled, reviewed and refined prior to any attack occurring. That level of commitment is critical to mitigating the financial and reputational/credibility impact to an organization. Remember, its not a matter of “if an attack will occur” but “when an attack occurs” that must be drilled into the mindset of your staff so they can be ready to implement your well-refined contingency plan. One of the best resources to provide to you to assist with your planning can be found on the Cybersecurity & Infrastructure Security Agency website.

There are many that can assist you and your organization to assure that your Operating Systems (O/S), applications, firmware, hardware and people are integrated into your cyber hygiene awareness and planning. Remember, the effectiveness of you plan is only as good as your organization’s preparedness, training, post-review assessment and refinement to mitigate exposure. Your organization can have a solid and rigorous contingency plan in place, but it takes everyone within the organization to be trained, committed, and understand the impact and importance to the organization to understand their roles and the overall plan execution and goals. Ensure that your organization is committed to implementation, maintenance, and awareness of the need for a world-class cyber hygiene strategy for your organization. That’s your best possible defense when a cyber attack occurs.

David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
Twitter: @DavidSFinn

Healthcare has been talking about Cyber Hygiene for a while now but, we still don’t do it very well. Most of us wouldn’t let a physician conduct a physical exam on us without having seen them wash their hands. Can you imagine a surgeon no wearing gloves to operate. It is built in. I don’t know why hospitals and providers can’t figure this one out – – if you know what causes “infection” and you know how to at least slow it down, do it. Patching, updating, upgrading, training, all help to prevent cyber-attacks. Healthcare is one of, if not the most, hyperconnected sector in the U.S. Strong access, like MFA, is one of those no-brainer steps toward hygiene. A robust and regularly exercised response plan is also a critical part of hygiene. Most organizations run these exercises once a year, if at all. On going cyber hygiene is one of the least expensive things to do – – if you do it regularly and on schedule. It is also one of the most effective things to do to improve and enhance resiliency. Let’s just do it.

Brendan Crotty, Head of Product Management, InstaMed, a J.P. Morgan company
Twitter: @InstaMed

Ransomware attacks targeting healthcare are on the rise, and the points of entry are often downstream vendors. In several instances, the breaches have resulted from a bad actor infiltrating a provider’s system, network and even a medical device via a ransomware attack on a third-party vendor. Stakeholders should look to consolidate the number of vendors they work with to help minimize the risk of cyberattacks. The more you can eliminate handoffs with your data, the less likely that data is to be compromised by hackers. When selecting vendors, ask to see their security and compliance certifications as any vendor who self-attests to being compliant and secure should be seen as a red flag.

Neil Clauson, Regional CISO, Mimecast
Twitter: @Mimecast

Healthcare organizations face unique security challenges that require a firm grasp of their attack surface area, internet-facing assets, and domains to understand where potential threat vectors exist. Remediating these vulnerabilities, early, often, and with regular consistency, ensures that hackers and ransomware have limited opportunity to cause system downtime or disrupt patient care. Furthermore, it tells an excellent story to Cyber Insurance providers that their “Cyber Hygiene” deserves maximum coverage with optimized and achievable premiums and deductibles.

For cybercriminals, patient records, medical data, and the systems that store and process them have high value, which makes healthcare providers and their affiliated businesses an attractive target. As such, providers must also reduce their attack surface area as much as possible by understanding threat actor tactics, techniques and procedures (TTP), implementing streamlined processes, leveraging best-in-class solutions, and investing in security awareness training.

Steve Akers, CSO & CTO at TECH LOCK, a division of Clearwater
Twitter: @ClearwaterHIPAA
Twitter: @TECHLOCKInc

Comprehensive visibility combined with effective orchestration across the enterprise is critical to detecting modern cyber-attacks and minimizing the impact to a breach of your defenses. Organizations focus heavily on preventing a breach, which is a noble endeavor, but this often leaves them ill-prepared to handle a breach and minimize its impact if (and when) it does happen. Ensure you are getting the right insights and implementing proper protections across all the different areas of your organization –on premise, endpoints, cloud, service providers, development, SaaS, infrastructure, vulnerabilities, etc. and ensure there is correlation and orchestration between them. This increases the likelihood of detecting many different indicators of compromise but also enables the organization to minimize dwell time in the event something does happen.

Chris Spargen, Sr. Manager, Solutions Engineering, HelpSystems
Twitter: @HelpSystemsMN

Setting a strong example is a way to collectively raise the bar on cybersecurity for your organization. Championing updated policies by being an early adopter, praising early adoption when you see it, and spearheading the latest security updates for the software solutions in your realm of influence will lead to a more secure organizational posture. Look for opportunities to partner with your vendors, testing new versions and helping them find any weaknesses that may exist before they reach the mainstream market.

Andy Stone, CTO – Americas, Pure Storage
Twitter: @PureStorage

It’s critical for organizations to perform good data hygiene on systems. Unsupported operating systems and unpatched software open the door for malware infections and other attacker exploits. Once threat actors gain access to the environment, they methodically look for key systems and sensitive data to exploit. That’s why it’s beneficial to have a well-defined patch management program that promotes the implementation of patches and updates soon after they’re released with the target of three to seven days for critical patches and updates, and no more than 30 days for others. In many instances, by the time a vendor releases a patch, cybercriminals are already aware of the vulnerability and have developed or are well down the path to developing a tool to exploit it. System misconfigurations can also lead to breaches. Open ports and improperly configured firewalls or routers can give hackers access to your network or provide information about the network that can lead to access.

Ryan Patrick, Vice President of Adoption, Business Development, HITRUST
Twitter: @HITRUST

If you listen to any successful coach, they will preach “getting back to the basics.” The basics win games. The same can be said about cybersecurity. If we can’t do the simple, little things or “the basics,” then we drastically expand our risk exposure and increase our chances of breach, disclosure, and/or incident. It is imperative that we provide our stakeholders with a level of trust that we have implemented cybersecurity programs that are, at a minimum, addressing “the basics.”

Bronwyn Spira, CEO and Co-founder, Force Therapeutics
Twitter: @FORCETherEx
Twitter: @BronwynSpira

Good cyber hygiene helps Force achieve a higher level of security against ransomware attacks. Ensuring all our IT systems are updated with the latest software patches helps us prevent zero days and other types of software vulnerabilities.

John Layne, Director of Information Technology, HSBlox

Healthcare Organizations should invest heavily in tools and services that detect and remediate vulnerabilities from their environments. A good way to identify and implement such controls is via annual certifications of SOC 2 Type II, HITRUST, FedRAMP, CMMC and NIST. While these are a critical aspect of good cyber hygiene, a robust and routine training and awareness program that promotes employee awareness is essential. Set your business and your employees up for success and ensure they understand the possible risks and attacks they may be facing as they are your most critical line of defense.