If an ounce of prevention is worth a pound of cure, then effective cyber security measures are worth a ton for healthcare organizations because your data could be compromised at any time from any point.
Network vulnerabilities, nefarious criminals and negligent employees are just a few of the threats that your organization faces. With protected health information (PHI) selling for a premium on the black market and ransomware running rampant, you must guard against multiple threats. A single data breach could be costly in terms of bad publicity, lost business, litigation losses and governmental fines.
Your cyber security measures must be as varied and disparate as the threats. You must deploy multiple measures if you are to manage the myriad of risks. You must protect against the obvious, not-so-obvious and we-never-would-have-thought-of-that threats if you are to build a strong cyber security foundation that allows your organization to grow efficiently with technology.
Here are nine cyber security measures that will mitigate risk for your healthcare organization.
1) Password policy
Almost 70 percent of healthcare organizations have compromised email credentials, according to a HealthcareITNews article. Hackers can penetrate such systems with key-logging and phishing attacks. Exploitations could then lead to ransomware, patient data breaches or denial of service attacks, the magazine reported.
A password policy can mitigate against such attacks by prohibiting hackers from guessing log-in credentials. Passwords should be complex but functional.
If you require passwords to be 30 characters long, then everybody may forget theirs. Then they might start writing them on Post-It notes so that they can remember. That would pose a low-tech problem for your high-tech solution.
Strike the balance between an effective yet secure password policy. Consider using phrases for passwords. Instead of thinking about a traditional password, think of the name of your favorite movie, for example.
One of the best mechanisms to defeat password guessing or the brute forcing of passwords is to use spaces within your passwords. Most applications that help with brute forcing cannot or do not use the space keys for the password process.
Force your users to include spaces in their passwords instead of special characters. You will be surprised with how easy of a mitigation that is against most of the tools that are out there for brute forcing.
If you use a phrase, like one of your favorite movies, it’s probably going to have a space between the two elements. So, it will be easier to remember for your user and it will substantially increase the complexity of the password process.
2) Two-factor authentication
Two-factor authentication is an advanced way to stop business email compromise (BEC). With two-factor authentication, you have to provide your password as well as a token, which a series of numbers that is randomly generated, in order to gain access to your account. Its randomness and complexity make it a good cyber security measure for healthcare.
3) Application whitelisting
When it comes to simple cyber security, application whitelisting is the best measure. Only allow the applications that are supposed to run on your environment to run.
This might frustrate employees in the process but it really is the simplest way to actually secure your environment. Microsoft Windows, for example, provides full application whitelisting and group policy mechanisms.
You don’t have to spend a lot of money. You just have to get somebody to turn those functionalities off.
If you can actually have application whitelisting in place, you’re pretty well defended against the traditional ransomware type attacks.
4) Managed equipment
Unmanaged equipment is a big issue in most healthcare organizations. They buy equipment, put it in place and forget about it.
An MRI machine is a good example. It may run on a Windows 2000 operating system that has not been patched for a long time. So, the machine has a significant number of vulnerabilities and it’s connected to the rest of your healthcare environment.
Having a good patching policy and managing what you buy are really the best strategies, basic mitigation mechanisms for defending against that type of a vulnerability. A more sophisticated approach would be using a vulnerability scanning platform. There are a plethora of solutions out there to help you manage that risk ultimately, to minimize the footprint you have from a vulnerability perspective.
You can plan all that you want and spend all that you want. But you haven’t gotten anywhere until you test.
You trust but validate. If you’re not doing that, if that’s not a fundamental part of your security posture, you’re setting yourself up for failure.
If you think you have a great plan out there, great, exercise it. Set up a team that’s going to actually break into your environment. Test out the tools that you’re putting into place. Send yourself an email that has a virus on it and see what happens. Hopefully, it’s a more controlled environment mechanism so that you don’t end up having it spread across everywhere.
Many organizations say, “We have an intrusion response plan. We have a backup policy.”
But if you ask, “So what happened when you went to backup?”
They will reply, “Well, the backups were corrupt.”
These are common issues.As you write your plans and you get your tools, test them regularly, at least quarterly. Hire a third party to test you and your team so that everyone is alert.
When building a testing program, focus simulations on what you have determined to be your top threats. Focus first on those techniques that are being leveraged by adversaries, like phishing.
6) Detection program
You can defend but you cannot prevent. Implement a detection system so that you know when a threat arises.
Your detection program should look for anomalies. Identify normal behaviors. Then create rules to alert you when exceptions occur.
For example, if an employee historically logs in from 8 am to 5 pm and then they’re logging into the environment at 2 am, that’s detection. Traditional prevention systems will not stop something like that happening. But when you’re a network administrator, a security professional who knows to look for .that kind of an alert becomes powerful.
7) Third-party policy
Many healthcare organizations have solid cyber security policies that address external threats. Unfortunately, they don’t realize that one of their trusted partners has compromised security in the meantime.
Just because you take security seriously, that doesn’t mean that the physician down the street in his small office does as well. However, if you provide them dedicated VPN access back into your network environment then you can provide a foothold into your organization.
Or, better yet, the HVAC company comes in and they plug in their laptops into your environment to look at your air conditioning environment, which, for some reason, you connected to the rest of your network in order to manage the temperatures throughout the entire building. Now, let’s say that person’s computer was compromised with malware. It’s now just propagated itself throughout the rest of your network environment. This is how adversaries can get a connection into your environment.
Look at third parties and the associated risks. Write effective policy about interactions with third parties to classify that activity. Develop associated agreements that constrain the relationship, even though most third parties are not going to want to expose themselves to unnecessary expenditures or scrutiny.
Also, prioritize working with vendors that have core security concepts, like HITRUST, or have been PCI certified. They have security as part of their overall culture. Remember, it’s the weakest link in the chain that is ultimately going to become that element for you.
8) Catch, match and patch framework
Smaller healthcare organizations, in particular, should prioritize cyber security measures with a framework.
The Australian Signals Directorate’s catch, match and patch policy is a good example to follow. It’s simple.
- Catch malicious software with an application.
- Patch the materials in your environment. Keep them up-to-date.
- Match people and privileges. Limit access to those who need information.
Protecting your organization in this manner could eliminate more than 80 percent of the issues that you face.
Education is an important cyber security measure, particularly for preventing email compromise. Employees must know that if they’re not expecting an email from somebody, then they shouldn’t open it.
The problem with email compromise, however, is that once an adversary actually gains access to somebody’s email account, maybe your president’s, they’re going to use that to send an email to another employee. They’re going to ask for files for all the employees in the company, to include their Social Security numbers. Or, they’re going to ask for all the patient information. And if an employee just responded to their boss, they’re probably going to provide that data without asking or taking a second guess.
Train your employees in cyber security measures or hire outside experts to do so. Test your employees as you provide the training, otherwise, it will not take.
You need to phish your own employees. And again there are tools out there to help you with doing so. A lot of companies focus on that side.
Or more importantly, you need to have a policy behind it to say, “Well, if we phish you a couple of times and you’ve failed each time, and we did follow-up training with you and you’re still getting caught, well, we now need to take action.”
There must be administrative punitive damages to an employee in the event that they don’t grasp the notion that they are the weakest link in the fence.
Cyber defense is complex is for healthcare organizations, particularly as the number of threats increases and the nature of those threats evolves. But if you prioritize and manage risk you can use technology to help your organization grow efficiently.
Start by using these nine essential cyber security measures, if you aren’t doing so already.