By Heather Annolino, RN, MBA, CPHRM
The pandemic has left its mark on everything, especially the cybersecurity of health care organizations, many of which are currently understaffed and insufficiently resourced. Whether by passive threats or full-blown ransomware attacks, the cybersecurity of hospitals is being targeted.
An article from Emsisoft shows at least 560 facilities in the health care sector experienced ransomware attacks in 2019. According to cybersecurity firm Imperva, cybercriminals targeted the health care industry with about 187 million attacks per month globally in 2020, up 10% from the previous year. That averages about 498 incidents per organization, every month.
Hospitals can protect themselves, however. Risk managers and IT officers can improve their defenses against these threats by upgrading to the latest technology, which typically offers the best protection against known threats. Additionally, hospitals that still rely on legacy systems can protect themselves by providing awareness training for staff and patching older systems to the latest software version available from the manufacturer, while they plan a strategy to migrate to updated platforms.
The following are essential areas every hospital should address.
Network Security Necessities
Segment networks limit hackers’ access by implementing virtual local area networks, or VLANs, that separate the core network from endpoint devices such as laptops and tablets, block traffic by default with internal firewalls, and grant only enough access for the systems to work together.
Control wireless traffic by excluding users from accessing internal systems or requiring password-protected, wireless equivalent network, or WEP, connections for Wi-Fi users. Also, limit wireless access to the network and consider requiring users to have two-step authentication security options on their devices.
Implement network watchdogs with web application firewalls, or WAFs, designed to detect security bypass attempts. These protections will keep legacy systems running smoothly. If possible, isolate edge devices such as web-enabled building mechanical systems on a separate network. Protect the edge behind a firewall with an intrusion prevention system/intrusion detection system, or IPS/IDS, capability.
Endpoint Device Strategies
Patch systems to the latest software update to ensure better protection than earlier versions. Also, conduct vulnerability assessments, which will enable companies to identify system weaknesses and create an opportunity to terminate any unnecessary services running on a host, while also reducing the number of potential exploits in a system that can no longer receive updates from the manufacturer.
As an extra layer of security, maintain a ransomware defense. These threat detection managers typically isolate the endpoint device from the network, allowing the IT team to access and clean threats before data are stolen. A dedicated response team will also be essential for endpoint incidents. In addition, arrange a third-party incident responder, if the organization lacks a security operations center. Sticking to regular backups and enforcing strong password protection policies for administrative accounts will work as an added layer of security.
Security Awareness Considerations
Human error is always the weakest link in any data protection strategy. Avoid it by educating staff about cyber dangers and precautions. The loss of patient health or financial records can lead to severe problems for organizations and identity theft for patients. Employees should be trained on how to avoid attempts for data to be accessed and hospital systems infiltrated. Explain to staff the potential threats posed by e-mails and browsing, as well as the threats associated with accessing hospital networks and systems through personal devices.
Keep track of phishing trends because criminals are growing more sophisticated with compelling phone calls, e-mails, and links to websites that look like hospital sites and mimic their web addresses. Unfortunately, amid compelling visuals by criminals, employees may unwittingly hand over credentials. Educate employees to recognize suspicious phishing campaign communications that include rewarding them for their hard work with gift cards, awards, and other enticements. Additionally, educate employees about how human resources rewards employees for their hard work.
Test your phishing campaign preparedness with simulated messages and appeals to employees, helping them identify potentially harmful e-mails. Hospitals will then be able to recognize employees who might need additional training.
Neglecting strong cyber defenses could be detrimental to health care organizations, exposing them to the risks of fines, monetary losses, and reputational damage. With the right procedures, technology, and awareness training, health care providers can successfully control cyber threats without compromising patient care.
— Heather Annolino, RN, MBA, CPHRM, is the senior director of healthcare practice at Ventiv Technology, where she plays an integral part in developing Ventiv's Patient Safety solutions.