Healthcare IT has experienced increased challenges in 2018 with new cyber-attacks, new vulnerabilities, security staff shortages, and more.
Information security is racing to secure technology that grew far faster than anyone could have ever imagined. The most important thing to know when considering information security is how to minimize the effects of a security event. Every organization is being targeted, whether it is spam emails, phishing attempts, corporate espionage, nation-states, or anything in between. Here are three areas that healthcare organizations should focus on to improve their security and privacy programs in 2018.
Preparing for Ransomware
A recent CynergisTek report found that 78% of healthcare providers experienced a malware or ransomware attack in 2017. In most cases, the length of time between the first machine being infected with ransomware and the other vulnerable systems being infected is less than 20 minutes, meaning the most important thing an organization can do is be prepared to move very quickly. Decide and know ahead of time who makes decisions, how to bypass the chain of command if they are not immediately reachable, and ensure that there is a strong understanding of the sense of urgency that is necessary when responding to a ransomware incident.
Furthermore, Intermedia found that 75% of ransomware attacks infect three or more employee devices, and 46% infect at least 20. This is why the moment an infected system is identified it should be disconnected from the network immediately. A survey by Imperva states that downtime from ransomware can cost an organization between $5,000 and $20,000, or more, per day. This is why, beyond the capability to detect and react quickly, it is crucial to ensure that downtime procedures are in place and in general there is a robust and regularly tested incident response plan in place before an incident occurs.
Securing Mobile and IoT
Mobile and IoT are significantly changing the number of endpoint devices in the enterprise today, but our collective inability to effectively conduct asset inventories has not changed. One of the most important and crucial steps an organization can take toward protecting their mobile and IoT devices is to have an accurate and up-to-date inventory of all devices connected to the network. This will help to account for missing, lost and/or stolen devices, the risk they present, and more importantly you will know exactly what to remove from the network in the event of an incident.
Additionally, it is important to have strong and enforced standards for mobile and IoT devices. For example, mobile devices that connect to sensitive systems must have full-device encryption, a PIN or password to unlock, and the organization needs the ability to fully wipe any lost or stolen devices remotely. For IoT devices it is crucial that all devices are regularly checked for updates (and updated accordingly), and that the devices reside within a segmented virtual network (VLAN) that is as restrictive as possible, not allowing devices to connect to the internet or sensitive internal systems.
Mitigating the User Issue
The “user issue” continues to be a pervasive risk that all organizations face at all times. In fact, 58% of PHI data breaches are caused by insiders, and most of these occur because of human error. Even purely technical attacks, where flaws in code are used to gain illicit access to systems, are only possible because a human made a mistake in coding the system or application. More common attacks, such as phishing and malware attacks, are almost always perpetuated by low-level users clicking on links or opening emails they should not have.
There are some effective and universal steps that can be taken to help security awareness and best practices for users. One of the most effective ways users can be reached is by making the message personal. Appeal to their humanity, to what they truly care about. Tell them how to be safe online to protect their own identity, and to help protect their children, families, friends, and loved ones. This will help them to truly care about safe measures and to change their habits. They will share the secure steps with those they care about too, further reinforcing those good habits, and they will bring that knowledge back to work with them.
Conclusion
It’s no surprise that ransomware, mobile and IoT devices, and user awareness continue to be big challenges. But, if the industry can start changing its behaviors and implement some best practices, healthcare IT can begin to reduce the impact of each incident and begin to focus on more advanced protections.