This is week 1 and the theme is Be Cyber Smart. As our lives have become increasingly dependent on technology, virtually all personal and business data is kept on internet-connected platforms, which can become a gold mine for bad actors. The first full week of Cybersecurity Awareness Month will highlight best security practices and focus on general cyber hygiene to keep your information safe. Own your role in cybersecurity by starting with the basics. Creating strong passwords and using multi-factor authentication, backing up your data, and updating your software are great places to start. This is a great way to Do Your Part #BeCyberSmart!
David Finn, Vice President, College of Healthcare Information Management Executives (CHIME)
“Be Cyber Smart” is not only a catchy phrase, but also one of the great cyber security awareness campaigns ever and a very useful website (Be Cyber Smart | Homeland Security (dhs.gov)). Like security itself, though, it only works if we use the tool, stay current and encourage our organizations and teams do it. Awareness and training must be not only available but important and accessible to users. You must have the “slow drip approach”, but you must keep material fresh and current, reflecting what is happening in the world and your own environment. Messages that are personal and entertaining are more impactful and better remembered.
In healthcare, being cyber smart starts with understanding the basics required by regulations applicable to the healthcare industry. As most, if not all, people should know that means taking the time to parse through and understand the requirements of the HIPAA security rule. Once HIPAA is understood, then a solid foundation can be established to build truly protective practices on. Additionally, it is important to remember that security is always an ongoing effort that must always evolve and adapt to changing circumstances, which translates to continually reviewing policies and procedures to catch emerging gaps.
The past 18 months of the pandemic has demonstrated the resiliency of health care workers, especially those in the IT space. It all starts with solid education and making a plan so everyone within your organization is prepared for the next attack. In this day in age, it’s not a matter of if but when a data breach or ransomware attack could occur. As we’ve seen in the headlines, downtime can last anywhere of upwards to 30 days or more. This kind of hit is devastating to healthcare systems big and small. Education is so important because it holds everyone accountable. Engaging a Disaster Recovery and Business Continuity (DRBC) team at your organization to spearhead these efforts can make the difference between being prepared verses not, with millions of dollars of revenue on the line. Invite key stakeholders from various departments to assist with these efforts and reward employees for adhering to the standards. By taking an “all hands on deck” approach, you’re shifting the focus off of your IT team and making sure everyone is doing their part. Being cyber smart is key to a healthy, modernized IT infrastructure but we can’t do it alone.
Cyber safety begins with good cyber hygiene. All internet-connected devices are possible entry points for a cybercriminal. And the need for diligence increases exponentially as the volume of connected devices in healthcare provider organizations, both within the facility and from remote locations, grows. Here are four core tenants of good cyber hygiene to employ every day.
- Stay up to date – Regularly update security software, browsers, and operating systems. Use auto-updates for home devices.
- Use passphrases – Length trumps complexity when creating a strong passphrase. Keep them long, easy to remember and unique for each account. For example: TheBeachismyHappyPlace!
- Stop the track – Your location doesn’t always have to be tracked. Properly configure mobile applications to disable tracking and location services when they’re not needed. And delete mobile apps you no longer use.
- Watch WIFI connections – Use caution with WIFI connections and only connect to trusted networks. Local coffee shops, hotels, airports, and other public places are notorious for cyberattacks with hackers setting up fake WIFI connections which look like the real establishment.
When we talk about being “cybersmart” it’s too easy to just focus on passive governance and reacting when things go wrong. Being “cybersmart” today has to be proactive. As data is used, shared, as it’s in motion, it has to be actively secured and governed. This is absolutely critical in the Health IT space where PHI must be handled with the utmost care, but without overly restricting access and use. For instance, one company we work with captures large sets of health data to run predictive AI models. Data sharing is core to their business. But, without the right tools, users often didn’t even know whether some of the data they were capturing included PHI or not. And, even if it did, they didn’t have the ability to actively govern it. Fortunately, they are now solving the problem, but it started by taking an active mindset towards controlling access to data.
Today, 93% of patients — regardless of age — expect to use digital tools to access virtual care, which, in turn, brings its own set of challenges as providers integrate devices and services, all the while attempting to keep patient data safe and secure. To do these things well goes beyond simply messaging patients, hosting video chats, or sharing content within the EHR. It means striking a balance between cybersecurity and technology to protect the confidentiality, integrity, and availability of patient data across the continuum of care. The pandemic demonstrated the need for digital care but also precipitated a rise in cyberattacks. Now is the time for providers to re-evaluate their partners to ensure well-documented compliance and security protocols meet the highest standards.
Taking the initiative to become cybersmart is no longer an option, but a necessity. In 2017, the average cost of a breach in the healthcare and pharmaceutical industry was $3.6 million – the COVID-19 pandemic has almost doubled that number. It’s never been more important for organizations to be vigilant in the fight against cybercrime. While cyber threats are inevitable, having the right technology in place to proactively monitor irregularities in cyber activity and responding to threats more quickly can mean the difference between a million-dollar breach and just another day. Being cybersmart doesn’t mean working harder, it means using the right detection and response solutions to work smarter.
Of the nine fundamental domains of the McCumber Information Security Model, which guides the cybersecurity profession — confidentiality is paramount. Confidentiality includes privacy of patient data that is federally mandated by the HIPAA healthcare rules. As Harvey Jang of Cisco recently said, ‘Privacy is a business imperative and ethical responsibility – not just a compliance requirement.’ This sentiment is even more true in healthcare where there is a basic directive to protect patient private and confidential information.
Don’t Miss our Cybersecurity Virtual Panel Discussion on October 26 at 1pm ET
It has been six years since our first panel discussion addressing the growing and alarming rise of cybersecurity threats to healthcare. In the ensuing years, data breaches and ransomware attacks continue to plague the industry. In fact, through double extortion, the two attacks are often combined.
The COVID-19 pandemic and the increased usage of telehealth and connected personal and medical devices have led to an exponential volume of incidents, enticing more malicious actors and more sophisticated attacks. And while technology advancements in Cloud, IoT, and 5G offer organizations the chance to modernize their IT infrastructure, cybersecurity threats are advancing on parallel lines as digital healthcare evolves.
On this year’s panel discussion, our experts from around the industry will discuss the challenges healthcare organizations face, what the future may hold, and what can be done to fortify security protocols and guardrails to minimize risk.
Moderator David Harlow, Esq.
Host of Harlow on Healthcare
- Heather Randall, PhD, Chief Compliance Officer, Sphere
- David Finn,Vice President, College of Healthcare Information Management Executives (CHIME)
- Parham Eftekhari, Founder & Chairman, Institute for Critical Infrastructure Technology (ICIT)