While security systems, firewalls and network monitoring technologies are paramount in protecting hospitals from possible cyber and ransomware attacks, hospitals should never forget that employees hold the keys to the virtual kingdom.
Healthcare organization IT teams should make sure to establish some best practices when setting up and maintaining their network infrastructure, and Sadik Al-Abdulla, director of security solutions at CDW, who has performed over 4,000 security assessments, can help organizations start laying the groundwork.
So what best practices should healthcare IT teams look to put into place when setting up a more secure network?
1. Establish Update and Patch Discipline
Many organizations update their computers’ operating systems, but they’re not as good about patching other devices such as security cameras, multifunction printers, badge readers and manufacturing equipment, says Al-Abdulla. The proliferation of mobile devices and the Internet of Things exacerbate this problem.
Even if organizations use mobile device management software, users don’t always keep their personal devices up to date, says Karen Scarfone, principal of Scarfone Cybersecurity. Creating a disciplined program for patching and updating all devices on a network — not only computers — can mitigate such vulnerabilities.
A good starting point is to enable automatic patches and updates, suggests Craig Williams, senior technical leader and manager of outreach at Cisco Systems’ Talos Security Intelligence and Research Group. Better yet, he adds, organizations should encourage users to get rid of software they no longer use.
“If you don’t need it, remove it,” he says.
2. Manage Passwords Effectively
When CDW’s security team attempts to crack passwords during an assessment, they’re successful in five minutes or less in 85 percent of the cases. That’s because users choose passwords that are significant to them, such as their favorite sports teams, which can be easy to guess.
The number of data breaches stemming from weak passwords is staggering, according to Williams. “It seems like we have one about every other week, if not every week,” he says.
If organizations adopt more robust password policies, they can minimize that vulnerability, says Al-Abdulla.
3. Navigate Arbitrary Trust
Not all systems need the same level of protection. A user on a gardening forum might not worry about security. However, if that person uses the same login credentials at work, a hacker could breach the less-secure gardening forum and steal his unencrypted password to access his work account. That’s why it’s important to use unique passwords for different accounts, says Al-Abdulla.
4. Use Experiential Learning to Educate Users
Phishing attacks used to be laughably bad, but they’ve grown more sophisticated, says Scarfone. Many target individual users. For instance, a spear phishing scam disguised as an email from a CEO might instruct an employee to wire money. Policies such as requiring two people to approve a wire transfer can combat such attacks, she says.
When organizations hire CDW to attempt to phish their employees, they face a grim reality — an 80 percent click rate. But organizations can flip that equation by training employees to be skeptical of links. Security personnel can conduct audits to provide training for users who click phishing links. This training can take the form of videos that show strategies to avoid phishing scams. “If you do it every quarter for a year, over time, that click rate drops down into the single digits,” says Al-Abdulla.
Learn more about how CDW’s security solutions and services can help you keep cyberattackers from damaging your IT operations.