The recent tremendous growth of smart technologies in the healthcare industry have brought enormous potential for new challenges and risks to business data. The nature, frequency and severity of these events have increased, because of the resurgence of COVID-19 and because of the sophistication of the cyber terrorists and other nefarious cybercriminals.
It’s critical now to recognize cybercrime quickly and try to limit the damage and its impact on patients, employees and healthcare businesses in general. Especially if you want to maintain your healthcare business prosperity.
Five healthcare cyber risks should you watch out for in 2022
- Ransomware is on the rise. There has been a major increase in recent months because the bad guys are finding the crime to be so profitable. Becker Hospital Review reports, “In recent years, multiple incidents at healthcare organizations have shown that ransomware attacks can bring down systems, interfere with patient care, damage reputation and interrupt the revenue earning capability of an organization.”
- Identity credentials and personal data are a main target. With the prevalence of hacking and social breaches, the healthcare industry has to be vigilant to maintain continuity and resiliency.
- Many employees are once again working from home. To avoid exposure to COVID-19, a vast number of healthcare companies are asking employees who can work remotely to continue doing just that. People who work from home do not have the same level of anti-hacking network and VPN (virtual private network) security that protects them in their offices, which increases vulnerability to cyber threats.
- Lack of time and so many missing and ill personnel have caused healthcare organizations to use added third-party vendors. To support your ongoing operations, you may be turning to such outside vendors as: document storage companies (both digital storage and hard copies); document shredding companies; payment processors (such as billing, claims handling or debt collection on your behalf); CPAs; accreditation and compliance organizations; and many more. You have to ask yourself, “How much these vendors put my patient and employee security at risk during the continuing pandemic?”
- Healthcare organizations have been embracing cloud hosting at breakneck speed, without proper due diligence. This could set the stage for a “cyber-pandemic,” reports Healthcare IT News. “The COVID-19 pandemic is spurring adoption of cloud services across all industries as they rapidly pivot to support remote work and collaboration. This is particularly true for healthcare providers at the front line as they leverage remote access and cloud analytics to scale operations… leaving business leaders and security professionals tasked with protecting an attack surface that to date has been uncharted.”
How can you improve cyber resiliency?
HealthITSecurity recently reported that, “Cyber resiliency is the armor that healthcare organizations need to defend against cybercriminals. Equipped with the tools to prevent, prepare and respond, organizations can significantly reduce the risk of becoming a cyberattack victim.”
“We have to focus on being more resilient,” an industry expert emphasized in the same article. “Focus on the ability to detect, to respond, and to react in a way that allows us to either avoid to some degree or mitigate what happens when we get hit with a cyberattack.”
The article went on to deliver specific resiliency strategies, including:
- Tell yourself that it’s not “if,” but “when.” Stop thinking that our industry is ever going to completely stop the attacks and threats. Then, focus on implementing risk management strategies, creating an incident response plan, and ensuring that patient and employee data is safely encrypted.
- Make the investment in technical protection. A recent study found that cybersecurity is not a high investment priority for more than 60 percent of hospitals, despite the fact that a data breach can force midsize hospitals to shut down for an average of 10 hours at a rate of $45,700 per hour.
- Realize that cybersecurity is NOT convenient. Under HIPAA, covered entities are required to enter into a business associate agreement (BAA) with any third-party vendor that performs functions on behalf of the covered entity and has access to protected health information (PHI). “People like convenience, they don’t like their workflow disrupted, and they don’t like having to take that extra step.”
- Do not underestimate third-party risks. A survey of IT and security professionals across a variety of sectors revealed that while over 82 percent of respondents recognized that third-party threats exposed their organizations to risk, only half said that their organizations prioritize those risks.
- Until there are industry-wide cybersecurity standards, organizations will be vulnerable. HIPAA leaves room for improvement when it comes to establishing strict security rules that organizations must comply with.
Best healthcare cybersecurity practices during continuing covid-19
A key factor during and after COVID-19 is a critical need to protect data privacy by illustrating compliance with healthcare data privacy law standards and enabling trust by increasing healthcare data transparency. To mitigate cybersecurity threats, the New Jersey Cybersecurity and Communications Integrations Cell (NJCCIC) recommends the following best practices.
- Reemphasize cybersecurity principles and security best practices to secure passwords, incident reporting, email and internet use
- Ensure that password settings meet complexity requirements and enforce strong passwords for systems and devices
- Enable multi-factor and multi-level authentication as operationally feasible
- Toughen systems by deactivating unessential ports, protocols and services, limiting functionalities to the most required
- Maintain software and hardware at vendor-supported security patch levels by testing patches extensively
- Establish centrally-deployed anti-malware software at all checkpoints capable of supporting anti-malware
- Deploy principles of least privilege, limiting access to critical functions and minimum required users
- Establish network segmentation, disconnecting IoT devices from other systems and networks
- Enable continuous monitoring of networks, applications and systems for rapid detection of suspicious or anomalous behavior
CISA (Cybersecurity and Infrastructure Security Agency) recommends that organizations implement cybersecurity measures now to protect against potential critical threats, including:
- Reduce the likelihood of a damaging cyber intrusion. Make sure software is up-to-date and sign up for CISA’s free cyber hygiene services, including vulnerability scanning, to help reduce exposure to threats.
- Take steps to quickly detect a potential intrusion. Ensure that cybersecurity/IT personnel are focused on identifying and quickly assessing any unexpected or unusual network behavior.
- Ensure that your organization is prepared to respond when an intrusion occurs.
- Designate a crisis-response team, ensure availability of key personnel, and that all participants understand their roles during an incident.
- Maximize your organization’s resilience to a destructive cyber incident. Test backup procedures and conduct a test of manual controls.
Cybersecurity leadership can drive business growth
Healthcare organizations with a robust cybersecurity strategy have a strong competitive edge over those that do not when it comes to trust.
So, be sure to choose and partner with a cybersecurity leader that delivers:
- Strong knowledge of security best practices and the regulatory environment
- Leadership and communication skills
- A passion for learning
- Team building spirit
- Certification from (ISC)2, an international nonprofit membership association focused on inspiring a safe and secure cyber world
For a strong cybersecurity strategy, you need to have Blue Eagle Consulting on your side
Blue Eagle Consulting’s training/consulting experts help your healthcare organization through every phase of cyber defense and cyber security efforts, from auditing your current situation and recommending the appropriate security tools to reviewing policies and encryption to training your staff.
“Cyber risk isn’t going to go away,” HealthITSecurity said in a January 2022 article. “It’s going to continue to increase, and we need to be prepared with all available solutions, both human, technical, and on the policy level.”
To find out more about our cybersecurity resources, simply call Blue Eagle Consulting at 1 (866) 981-1095, use the short and easy Contact Form at https://blueeagle-consulting.com/contact/, or send an email to email@example.com.