It never has been more important to foster a culture of cybersecurity for maintaining security across an entire healthcare organization.
With all the risks of catastrophic cyberattacks, internal threats, or even negligence, C-suite executives are responsible for creating a culture of security. However, there are many disconnects between executives and the reality of security in healthcare systems.
This article intends to inform C-suite executives on the importance of healthcare security by providing relevant stats about the current healthcare-security ecosystem, along with five critical cybersecurity tips.
Healthcare Security Stats
To understand how dire the situation actually is, take a look at these cybersecurity stats in healthcare:
- According to SonicWall’s 2022 Cyber Threat Report, healthcare is one of the most highly targeted industries for cyberattacks.
- A recent study from (ISC)² revealed that 55% of executives described themselves as “very aware” of ransomware, with 40% only being “somewhat aware.”
- There’s also a perfect storm of vulnerabilities created by the current cybersecurity workforce shortage, which is straining IT teams at a time when cyberattacks are a constant threat. (ISC)² found that the global cybersecurity workforce must grow by 65% to defend data and critical assets effectively.
- The most common outcomes from cyberattacks and data breaches include:
- Risks to patient safety
- Ambulance diversions
- EHR downtime
- Appointment cancellations
- Patient data exposure
- Reputational harm
- Costly lawsuits
All of these factors paint a grim picture of cybersecurity in healthcare. However, with executives aware of these dangers, and implementing security countermeasures in response, catastrophic disasters can be avoided before they substantially impair healthcare.
Let’s look at five of the most important cybersecurity tips for the C-suite in healthcare:
- Zero-trust email
- Supply chain risk management
- Manage insider threats
- Password hygiene
- Avoid the ransomware epidemic
1. Zero-Trust Email
Zero-trust email is a process, where every email and email-based interaction is considered a threat until proven otherwise through various methods of verification. With email, cybercriminals, bots, and viruses only have to find one weak link to access sensitive data or affect the overall infrastructure.
In a healthcare context, there’s a multitude of users that use email in their daily work. From physicians and IT staff to administrative staff and C-suite executives, professionals in the healthcare industry must be encouraged to follow zero-trust email guidelines, which are essential to protect against attacks.
The scope of zero-trust email policies is immense, but the main idea revolves around a mindset shift in C-suite executives all the way down to patient interactions.
The first step is identifying the users and applications that have access to sensitive data to identify all vulnerability points and prioritize what to tackle first.
The next step is implementing zero-trust security measures for each access point. It’s a good idea to establish user roles and to grant the least amount of access necessary for each user. This should be a continual process, especially after an uptick in malicious emails or a detected breach.
Using third-party email solutions to implement zero-trust email policies may be the solution to combat ransomware and phishing attacks. Companies such as Paubox implement automated algorithms that rank the sender as reputable or suspicious. If an email and/or the email sender is deemed suspicious, the system quarantines the message to eliminate the risk of end-users clicking on bad links.
2. Supply Chain Risk Management
With supply chain issues regularly spouted in the media, it’s no surprise that healthcare is similarly affected.
Healthcare organizations must conduct proper risk management practices and risk assessments of suppliers and third-party service partners to minimize the risk of supply chain exploitation.
The Cloud Security Alliance (CSA) recently released a new paper, Healthcare Supply Chain Cybersecurity Risk Management, which provides a number of best practices that healthcare delivery organizations (HDOs) must implement to manage threats with their supply chains. These include:
- Inventory all suppliers, then prioritize and identify those they consider to be strategic suppliers.
- Tier suppliers based on risk, using a 3rd-party risk-rating service if possible.
- Contractually require suppliers to maintain security standards.
- Develop a regular schedule for reevaluating suppliers, especially after any detracted data breaches.
3. Manage Insider Threats
Not all threats to healthcare institutions come from external sources. Careless workers, inside agents, disgruntled employees, and third parties are all forms of insider threats that pose cybersecurity risks to healthcare organizations.
Another aspect for the C-suite to consider is that many of these internal threats aren’t deliberate. In fact, a Ponemon Institute report conducted in 2020 showed that 61% of data breaches involving an insider were unintentional in nature. The culprit? Negligence due to poor training, inexperience, and improper redundancy measures to stop any vulnerabilities.
So, how can executives create a better system of protection from insider threats?
According to the HHS, the following best practices are recommended for mitigating insider threats:
- Ensure that sensitive information is available only to those who require access to it.
- Implement strict password and account management policies and practices.
- Define explicit security agreements for any cloud services.
- Develop a formal insider threat mitigation program and security training for all employees
4. Password Hygiene
Weak passwords are the easiest way for criminals to gain credentials and infiltrate a healthcare organization’s network. Therefore, practicing proper password hygiene among employees is a must.
There are a number of ways that executives can enforce strict and effective password hygiene:
- Use complex and long passwords that are unique for each employee, including a series of upper and lowercase letters, numbers, and special characters.
- Implement multi-factor authentication (MFA). MFA requires a user to verify their identity using two or more authentication factors when logging in (preferably two or more types, such as a string of text and some form of biometric data like a fingerprint). Proper usage of MFA increases security because even if one authenticator becomes compromised, the second form of authentication will prevent unauthorized users from having access.
- Limit any shared workspaces as possible.
- Consider using a password manager to store unique and complex passwords for every site or application
- Use automated logout expirations to prevent unauthorized access.
5. Avoid the Ransomware Epidemic
As mentioned in the introduction, there has been an epidemic of ransomware specifically targeting healthcare. To avoid becoming another statistic, implement the following most effective tips to defend against ransomware:
- Conduct periodic security assessments and real-time penetration tests to test readiness against ransomware attacks.
- Limit work-from-home (WFH) and telehealth employment as much as possible, as shared devices can serve as penetration vectors for criminals.
- Encourage cooperation between all levels of the healthcare organization. Because employees and staff are often the first to detect malicious activity, creating an open culture facilitates early detection — a key factor before crucial data and systems are compromised.
- Use managed security providers to manage security operations centers and endpoint solutions.
- Use sophisticated security tools with AI and machine learning capabilities to block sophisticated attacks that aren’t detectable by human oversight
Want more tech insights for the top execs? Subscribe to the Leadership channel: