Rural Healthcare Organizations Need Security Support
Healthcare access is already a challenge for rural communities across the country. The threat of a cyberattack is yet another immense weight for these independent health systems to juggle.
Many rural hospitals do not have effective cybersecurity controls in place. Implementing security controls to protect patient information is expensive, and organizations often incur even greater operating costs to properly maintain them.
Given that a great number of rural health systems are operating on tight margins, they often choose only one control or solution per fiscal year in the hopes that their selection is adequate or that they can go undetected by malicious actors. These tools may not be configured or deployed to their fullest extent. They also may not be holistic and — and may only be used to assuage the C-suite.
Along with budget issues, rural healthcare systems can also struggle with shoring up their security teams with enough personnel. Remote work has opened up access to more talent, but that also means an organization has to have adequate infrastructure to support a decentralized workforce.
A rural healthcare organization may have only one or two people to manage their entire IT system, not just security. That could mean that a generalist is filling a role that requires specialization to prevent the system from falling into the wrong hands.
EXAMINE: How rural healthcare systems can strengthen their resilience.
Are You Ready for Recovery? Why Backups Aren’t Enough
Amid an ever-evolving threat landscape, many healthcare organizations have made investments in more security personnel, modern security tools, backup systems and third-party support. But only a few have validated their entire recovery strategy, such as performing tabletop exercises for incident management or partial failovers.
Healthcare organizations can’t passively assume that their backup solutions are set. They need to be active in managing their backups and ensure that they’ll be able to restore operations correctly. Planning is one thing, but being able to execute is another.
Revisit your backup and recovery strategy, and practice performing a clean recovery, especially if your environment depends on Active Directory. If you don’t have a clean room environment, there are organizations that can help you do a full recovery to a clean environment so that you’re familiar with the experience should the need arise.
Many organizations do not collaborate regularly with their legal team or the incident responders listed under their cyber insurance panel, so they’re caught off guard during a cyber incident. They may also learn that their backup and recovery strategies proved ineffective or incomplete because the necessary tools were not fully deployed, developed or maintained. These actions are under an organization’s control.
READ MORE: How can healthcare organizations grow with smarter backup strategies?
Get familiar with the panel, understand who your incident responder is, and either advocate that your own incident responder be included on that panel or work with the current incident responder. Coordinating these efforts up front makes for a smoother incident response and recovery. The last thing you need is an incident responder arriving at your organization during a time of crisis who doesn’t know anything about your environment.
Next, make sure communication on security expectations and strategies is clear throughout the organization. That means clinical, administrative, IT and other departments are on the same page regarding the organization’s security approach.
Finally, there must be a clear budget established for cybersecurity and the technology program as a whole. That way, you clear metrics and measurements on current costs and potential year-over-year increases. An advantage to laying this out is that there’s an articulate profile on staffing and technology needs for effective security controls.
Here’s a quick checklist to remember:
- Plan for and implement an effective business continuity plan that accounts for critical technology being offline for four weeks or longer.
- Plan for and implement an equally rigorous recovery plan (this is not the same as the first point).
- Partner with an experienced cybersecurity organization well versed in healthcare to help with resources and the planning, selection, implementation and development of security solutions suitable for your environment.
Why Partnerships Are Critical for Stronger Security
The healthcare system is at risk, and individual systems will continue to be at risk so long as the perception and the reality of their security maturity remains low. A more security-mature organization has a clear and articulate vision of how to understand and protect its systems.
Perform a cybersecurity maturity assessment along with a HIPAA assessment to cover security and compliance needs. These assessments should work together to support what’s needed for your security program.
Engaging with an outside partner who can provide a baseline review of your environment can help healthcare organizations to address gaps in their security as they progress in their maturity posture.
A strong partnership can provide much-needed personnel to assist in the planning, championing and implementation of security initiatives, security operations center functions and data protection strategies, such as data leakage protection and cloud security controls.
This article is part of HealthTech’s MonITor blog series.