Healthcare organizations have been fighting the good fight against cybercrime
for many years. But they still need to up their game. As such, they need to take the following steps as they more proactively deal with cybersecurity threats:
Address the basics
“To start, leaders need to look at the big picture and identify where the gaps are in their security programs. Risk assessments need to be regularly conducted. Policies and procedures need to be implemented and regularly refreshed. Security awareness training must occur with all staff. Data should be encrypted at rest and in motion. Data also needs to be securely disposed of. Anti-virus solutions need to be implemented with the latest definitions. Operating systems and applications
must be kept up to date. Firewalls must be properly configured. These are examples of basic practices that need to happen,” said Lee Kim, Director of Privacy & Security for HIMSS. “Once you have built a solid foundation, look for advanced tools to help strengthen the foundation,” she said.
“For example, does your security information and event management tool need to be updated or the associated intelligence feeds? Do your systems automatically lock the sessions if users walk away from them? Do you Do you need to revamp your security metrics to determine if you are realizing an
adequate return on investment for the tools and training that you do have in place? Are your business continuity and disaster recovery plans regularly tested and updated? If not, your organization needs to invest in advanced tools to help fortify your security program,” Kim said.
Consider insider threats
IT professionals often focus on what is happening outside of their organizations as they seek to stop bad actors from infiltrating their systems. Unfortunately, insider threats are just as real. “Employees and any third party with physical or virtual access to systems could be a threat,” Kim pointed out. “So, it’s important to ensure that they are not misusing your systems or, worse yet, planting that seed that could endanger your data.”
Secure data at the firmware level
“At the very basic level, machines generally run on some kind of firmware such as BIOS (Basic Input Output System). Think of this firmware as a primitive brain for the computer,” Kim said. “If that primitive brain is somehow compromised, then that is certainly a problem. Once cybercriminals get to the brains of the machine, they pretty much get everything because any security controls at the application or operating system level can be evaded — if that firmware has been compromised with a malicious code. In such a case, hard drives may be replaced and systems may be reimaged, but the malicious code still lives on within the firmware.”
Pay attention to procurement
Because computers and printers can introduce security vulnerabilities, it’s important to consider security when purchasing such devices. “Procurement is very important,” she noted. “Before you even have a contract, you need to carefully select and vet the vendors. Talk with your IT security department and work with them on a security due diligence questionnaire for vendors to complete. Be sure to follow-up with vendors — you want to ensure that there are appropriate safeguards in place as well as transparency.”