Improving Health Care Cybersecurity Beyond Compliance

By Devin Partida, Editor-in-Chief,
Twitter: @rehackmagazine

Many companies in the health care sector are making digital transformations by adopting cloud computing technology and other improved IT solutions.

With new technologies, the need for enhanced cybersecurity measures grows. High-profile ransomware attacks increased in the health care industry due to the ongoing COVID-19 pandemic.

How can health care IT organizations move beyond basic compliance and maintain strong cybersecurity resilience?

Being Compliant vs. Adopting Superior Cybersecurity Strategies

Not all health care organizations operate at optimal levels of cybersecurity, which is a significant issue the industry needs to address. With the pandemic still impacting health care organizations, the attack surfaces that cybercriminals can take advantage of have expanded and evolved.

It’s even likely that the recommendations and cybersecurity framework set forth by the National Institute of Standards and Technology (NIST) will become an industry standard for health care organizations. This may take some time, as it can be challenging for organizations to shift to a new standard or adopt an entirely new framework. With a long list of procedures, policies, requirements, and standards to follow, it’s not a change that can happen overnight.

Moving past compliance and into a spirit of cyber-resilience is crucial for health care organizations right now. But how can they make this transition?

How Health Care IT Teams Can Strengthen an Organization’s Cyber Resilience

According to the World Economic Forum, an average of 155,000 health records are breached during a cybersecurity attack in the health sector. In some incidents, reports are far higher, reaching a whopping 3 million records breached.

Because of this growing issue, cybersecurity needs to be a top priority for health care organizations. Practicing good cyber hygiene is no longer an option – it’s a necessity.

Below are some ways health care IT teams can strengthen their organization’s cybersecurity measures to protect patient data, ensure smooth operations, and hold perpetrators accountable.

1. Adopt a Zero-Trust Security Model
Due to the ever-changing landscape of network security in health care, one security approach that’s evolved and become widely used across industries is zero-trust. Essentially, a zero-trust security model constantly limits access to data in an organization on a need-to-know basis. No actors, systems, or services operating can be accessed without proper verification.

Organizations adopting a zero-trust model lower their risk of facing cybersecurity incidents, whether ransomware, malware, phishing scams, or distributed denial of service (DDoS) attacks. This type of security model does require time, money, and a tedious implementation process. Still, it can help IT teams move past compliance and become cyber-resilient.

2. Employ Data Protection Measures
There are plenty of data protection methods organizations can employ to keep sensitive patient information out of the hands of malicious actors. Here are some examples:

  • Data encryption
  • Data backups
  • Endpoint protection solutions
  • Automatic log-off
  • Unique user identification
  • Emergency access procedures

While the list above contains only a few examples of data protection measures, they play a critical role in securing patient health records. Cybercriminals are becoming more sophisticated in how and when they attack, so protecting data transmitted between connected devices should be prioritized.

3. Conduct Regular Risk Assessments
According to Health Insurance Portability and Accountability Act (HIPAA) security rules, covered entities and business associates must conduct a risk assessment of their organization to remain compliant. While performing this assessment can ensure technical safeguards are in place for protection, they also give organizations greater insight into their cybersecurity maturity and hygiene.

Reviewing technical, administrative, and physical security controls allows organizations to identify areas of improvement. From there, IT professionals can make expert recommendations so organizations can take action to mitigate vulnerabilities, lessen cybersecurity risks, and strengthen their cybersecurity posture.

4. Develop an Incident Response Plan
A proper cybersecurity incident response plan includes the following areas of coverage:

  • Preparation: For example, conducting mock data breaches in an organization will equip staff with the tools necessary to handle a breach, should one occur.
  • Identification: This includes identifying the 5 W’s of a data breach (who, what, when, where, why).
  • Containment: This step typically involves disconnecting from the internet, fixing bugs, updating software or hardware, and backing up data for recovery.
  • Eradication: Securely removing all malware must occur before recovery begins. Systems need to be safe and secure when handling a cybersecurity attack.
  • Recovery: This step includes recovering systems and getting them back online for the organization to use and monitoring operations for any other suspicious activity.
  • Lessons learned: Teams should hold a meeting to discuss details of the breach and steps that can be taken to prevent future threats or attacks.

Because a data breach can occur at any time, having a plan to respond is critical for health care IT professionals.

5. Educate and Train Health Care Staff
Organizations that implement a comprehensive employee training program will naturally lessen the chances of experiencing a cybersecurity incident. Employees in an organization may not use the best cybersecurity practices, such as changing passwords regularly, logging out of software or applications, or ignoring potential spam emails.

Employees must have an increased awareness of potential cybersecurity risks, as they can prevent breaches before they become a more significant, impactful issue. A team is only as strong as its weakest link, so ensuring all staff is adequately trained can increase cybersecurity resilience.

These five steps can ensure organizations move beyond compliance and strengthen their cybersecurity posture in a challenging, high-risk cybersecurity environment.

Moving Beyond Compliance in a Health Care Setting

Every health care organization understands that meeting compliance requirements is essential. However, as cybercriminals become more aggressive with their attacks, going above and beyond basic compliance can decrease the likelihood of data breaches and other potential threats.