Is your healthcare organization as secure as it can be? National Cybersecurity Awareness Month is upon us, and with recent cyberattacks like WannaCry and Petya proving that the healthcare industry needs to be more vigilant than ever against cyberthreats, it’s as good a time as any to take a look at the state of healthcare cybersecurity.
While there’s certainly room for improvement, the good news is that many healthcare organizations are taking a step in the right direction when it comes to shoring up cyberdefenses, according to the recently released 2017 HIMSS Cybersecurity Survey.
The yearly survey called on 126 healthcare professionals to provide insight “into what healthcare organizations are doing to protect their information and assets, in light of increasing cyber-attacks and compromises affecting the healthcare sector,” reads the report.
It found that 71 percent of organizations surveyed allocate a specific budget toward cybersecurity, and 80 percent of IT leaders employ a dedicated cybersecurity staff.
“Quality, stress-tested cybersecurity programs are imperative to protecting provider organizations and the patients they care for. This data is encouraging because it shows that many organizations are making security programs a priority; however, there is room for continued improvement,” says Rod Piechowski, HIMSS’ senior director for health information systems, in a press release.
Here are three key takeaways that can help healthcare organizations determine how to continue strengthening cyberdefenses.
1. Regular Penetration Tests Keep Cyberdefenses Strong
Knowing vulnerabilities is an essential part of building security systems and practices. This is where regular penetration testing can help. The test seeks to uncover vulnerabilities in information systems or individual system components, thereby allowing healthcare IT staff to test and patch security defenses before an intruder can do it for them.
“Penetration testing is a good way to test one’s cybersecurity defenses, incident response plans, awareness training, policies and procedures,” Lee Kim, director of privacy and security for HIMSS North America, says in a blog post.
In fact, the vast majority of healthcare organizations — 75 percent —regularly conduct penetration testing. But the tests aren’t simply limited to the cybersecurity systems themselves; they should extend to “administrative and physical safeguards,” according to the report.
“As an example, mock phishing exercises of workforce members (or even information security staff) can be conducted to determine how well (or poorly) these individuals perform. In another example, a mock cyber-attack can be launched to gauge how well (or poorly) a computer security incident response team responds,” the report recommends.
2. Cybersecurity Leadership Is a Top Priority
Leadership can play a key role in improving cybersecurity throughout an organization. Those with IT leadership or chief information security officers — 60 percent of organizations that responded to the survey — often adopt more holistic approaches to cybersecurity due to the leader’s deep knowledge and expertise on the subject, according to the report.
Moreover, IT leadership can help shape an organization’s information security program with an eye toward driving better cybersecurity practices throughout an organization, equipping it with the best tools, ensuring that cybersecurity best practices don’t get in the way of workflow and more.
For example, healthcare organizations with CISOs are better prepared for disasters. These organizations reported frequent testing with the aim to improve business continuity and disaster recovery at a higher rate (59 percent) than those without IT leadership (40 percent).
While this may have something to do with the resources at hand to put disaster recovery resources in place, organizations with CISOs also reported more frequent adoption of outside security frameworks, such as the NIST Cybersecurity Framework.
“Security frameworks help organizations build a comprehensive security program with guidance on how to identify and prioritize actions for reducing cybersecurity risk,” the report notes. “Many CISOs and other senior information security leaders know that HIPAA compliance alone is not enough and that adopting and implementing a robust security framework is a necessary prerequisite for having a robust security program."
3. Give Medical Devices a Second Look for Security
Computer systems aren’t the only vulnerabilities in healthcare organizations these days.
“Many acute providers have life-sustaining or life-saving medical devices. Considering that many of these are Bluetooth-enabled connected devices, medical device security and patient safety are very much intertwined — so much so that a potential compromise on a medical device may lead to an adverse event,” said Kim in the HIMSS blog post.
So, what makes these devices vulnerable? According to the report:
Medical devices (just like unpatched and/or unsupported software, unpatched and/or unsupported operating systems, and misconfigurations) have the potential of being compromised by an attacker (with some medical devices being easier to infiltrate than others). Such (successfully) compromised devices can serve as a “pivot point” into an organization’s network environment. Furthermore, if an organization’s network is a “flat” network (which is not segmented), a malware infection could potentially spread to each and every vulnerable system on the network.
By keeping these devices in mind as a potential area of attack, employing regular penetration testing and promoting a holistic approach to cybersecurity across the organization, IT staff can help keep these devices safe as well.