The next step is to test users by sending out simulated phishing attempts so that they recognize the warning signs of malicious email messages. Publishing the results of these simulations can further users’ understanding and awareness.
Get Help from Security Experts
Given the size of the cybersecurity obstacles they face and the comprehensive approach required to meet the challenge, it’s no wonder that many small organizations turn to outside assistance and resources to support their security strategy. In fact, some organizations rely on a partner to create the strategy for them. To make the best use of third-party vendors, IT leaders should consider several key factors of their security posture (each should have a corresponding policy or procedure that is reviewed at least once a year):
- Are the operating systems for core devices — firewalls, routers, switches, spam filters, web filters, computers and printers — still supported? If not, IT staff should create a plan to replace these devices.
- Does the organization have a patching plan? Many cybercriminals take advantage of unpatched and unsupported devices.
- What is the backup plan? There’s nothing worse than receiving a ransomware threat and then finding that offsite backup has failed. Backups should be tested regularly.
- Is the anti-virus solution updated with the latest virus definitions? Hardware should be checked monthly to ensure that anti-virus tools are updated regularly. Users should be unable to disable anti-virus on their machines.
- What is the password policy? Does it include a minimum of eight complex characters? Are users required to change their passwords regularly? Are administrator credentials limited and separate from common user credentials? Are printers protected by complex passwords?
- Does the organization deploy role-based security? Users should have access to only the tools and data they need to do their jobs. Supervisors should be aware of what users have access to, and the access should be reviewed annually or when a change of title or position occurs.
- Do third-party vendors have access to systems? If so, what is known about these partners? What are their security practices? Have they experienced a data breach? Smart IT leaders will develop a third-party questionnaire that partners must fill out annually.
- Has a risk assessment been conducted by an outside partner? Has the organization acted on the findings? Does it conduct vulnerability assessments or penetration tests to find security weaknesses?
- What is the organization’s mobile strategy? Are devices encrypted? Is BYOD allowed?
- Does the organization have an incident response plan? Does it involve all departments, escalations and how to reach outside assistance? Has it been tested? In the middle of an incident, this information is difficult to obtain.
- Does the organization have adequate cyber insurance? Do its business partners? Savvy IT leaders review their contracts routinely and include language that requires cyber insurance in all new deals.
- Does the organization regularly review its logs for anomalies?
Cybersecurity is an enormous uphill climb that never ends. While the IT department is an instrumental asset in making this ascent, the entire organization must be proactive to protect healthcare data. By embedding education, communication and adoption into the daily routine, senior care organizations will establish the foundation upon which a robust security system can be built.