Healthcare Organizations Can Protect Themselves Using Security Best Practices
Healthcare organizations can stay informed about the latest threats by joining a healthcare-focused information sharing organization, such as the Health Information Sharing and Analysis Center (H-ISAC), says John Shier, senior security adviser at U.K.-based IT security company Sophos.
These organizations rely heavily on their IT systems for a variety of administrative and clinical functions, and because of that, they cannot weather prolonged downtime, Shier says.
“Healthcare organizations can protect themselves from ransomware attacks through best practices like reliable backups, prioritizing patching and developing an incident response plan for ransomware attacks,” he adds. “They should also ensure any critical care systems are segregated and disconnected from the corporate network.”
Joseph Carson, chief security scientist and advisory CISO at cloud security company ThycoticCentrify, says healthcare organizations are prime targets due to the amount of sensitive personally identifiable information they collect and store, as well as the large number of connected devices typically integrated into their respective networks.
He points to several key practices that can better prepare healthcare organizations to mitigate the risks of ransomware incidents, such as creating a culture of awareness among healthcare staff, educating them on the use of strong passwords and multifactor authentication, and incorporating a robust privileged access solution.
Avoiding Security Mistakes Minimizes Ransomware Risk
A significant percentage of healthcare organizations still regularly use outdated operating systems or fail to update firmware on connected medical devices, Carson adds. This creates another massive vulnerability, leaving the door wide open for bad actors to penetrate a health organization’s network undeterred.
Systems can minimize risk by regularly patching all connected devices whenever an update is available and making sure they have the latest version of their operating system on all devices across the framework.
“I think one of the biggest mistakes a healthcare security professional can make is to assume that other personnel and staff have the same understanding of good cyber hygiene that they do,” Carson says.
He adds that, by assuming everyone is a potential walking vulnerability, security teams can better implement proactive measures and educational programs to keep staff — especially those with privileged-access credentials — aware of various security risks that can happen at any time.
“Until education, awareness and technological implementation universally render existing ransomware strategies obsolete, we’ll continue to see things like spear phishing, targeted attacks, ransomware as a service, and social engineering as bad actors’ weapons of choice,” Carson says.