IBM predicted 2015 to be the year of healthcare breaches. In IBM’s 2016 Cyber Security Intelligence Index, it appears the prophecy came true, with the healthcare industry shooting to the top of the list of industries experiencing successful cyberattacks in 2015. Two key takeaways from the report include that cybercriminals used a known vulnerability, Shellshock, to penetrate healthcare organizations’ IT infrastructure, and that insiders continue to be one of the most significant threats to cybersecurity.
Employee training is not enough. Building a robust cybersecurity program is also not enough. Healthcare organizations need to make sure they have sound cybersecurity programs, train their employees, and make sure when a vulnerability is discovered it is promptly mitigated. Ongoing risk management is essential. You can have the best security program around and the best staff training at your fingertips; if you don’t pay attention to new threats and vulnerabilities, all your effort will have been for naught.
Before embarking on the journey to build a more robust cybersecurity program, you need to prioritize your business objectives and set your risk tolerance. The lower your risk tolerance, the stronger the cybersecurity program needs to be. In the end it amounts to striking a balance between protecting data assets and making sure the business of healthcare is not hindered. It’s the proverbial balancing act—you need to protect your assets, and you need to continue to conduct business. There is no such thing as risk-free security, so you need to determine what you would consider reasonably secure given the nature of your business, the needs of your customers and patients, and your aversion to risk.
You need to implement a proactive security plan. The program you build is only as strong as staff’s awareness of its existence and what is required of them. Also, the plan is only as strong as your awareness of the threats out there when you begin and continue security planning. In the end, this amounts to making sure that your CISO or security officer is paying attention to the threat landscape and taking action when threats and vulnerabilities are identified. It is critical to make sure your workforce is adequately trained, that you have a seasoned information security professional at the helm of your program, and understand that training and awareness are not a onetime event.
Breaches are inevitable. They will happen. No matter the strength of your program, sophisticated hackers and careless employees can and will wreak havoc at some point. You need to prepare for the worst-case scenario. That means you need to build a strong security incident response plan, test that plan, train your incident response team, and make sure your business continuity plan is ready to go in case a cyberevent shuts down your ability to do business. The team needs to be prepared to respond 24/7, because you can never tell when the attack will occur. If you have a solid plan, a trained team, and response resources lined up, such as knowing in advance the vendor you would turn to if you need assistance with forensic analysis, you’re well on your way to be in a position to quickly respond to an incident and minimize your risk through rapid mitigation.
Advanced persistent threats continue to evolve and healthcare data has significant value to hackers. Lack of advanced preparation is akin to living in a high-crime neighborhood, leaving your laptop in your car in plain sight and leaving your car unlocked—there is a high likelihood that your laptop and maybe even your car will be stolen. Lock the door and put up the barriers before someone breaks in, and if they really want to break in, make them work for it so you have an opportunity to catch them before hackers get to your data.
To further strengthen your cybersecurity program, you need to do more than just train staff. You need to promote and support a culture of security awareness. It only takes one employee to click on a malicious link or open an email infected with malicious code. Every employee must work in partnership with your security team. If they don’t, those policies and procedures you rolled out and the security infrastructure you’ve built will fail to keep the hackers out. Your employees need to know what risks face your organization, and you can make it personal—communicate what can happen if employees are targeted personally.
That culture of security awareness needs to really hit home with everyone in your organization.