As business operations continue to grow more complex and the sheer volume of devices connected to the internet continues to rise, many healthcare leaders are waking up to a new reality. Over the last decade new risks to data are posing an even greater risks to the long-term survivability of healthcare entities and patients they care for.
Many healthcare leaders are dealing with so many challenges on many fronts that it’s not hard to see why cybersecurity would be among the areas that receives such little attention. Cybersecurity is such an obscure topic in general and it can be easier to let guards down than take on this challenge with a greater awareness of risk. Ask any of the hospitals or practices who have experienced a data breach or been fined by the OCR due to lax security practices how important it is to maintain good security hygiene.
In January 2018, Hancock Regional Hospital’s computer network was under attack. Its staff watched helplessly, as a type of malicious software called ‘ransomware’ infected the hospital’s network, and shut it down. Here is a short clip from the interview on CBS’ 60 Minutes.
Far too many providers are waiting until a crisis happens to address what may be their greatest unseen risk. Many are placing their bets that if they have survived this long without a major catastrophic incident, then it’s a risk worth taking. Good data security, like insurance, is investment toward risk reduction and there is no shortage of risks to operating a healthcare entity. Good security hygiene is a combination of mature ongoing IT management practices met with specific security and compliance activities.
Basic Security Hygiene:
- IT Management
- Updated Operating Systems
- Updated Business Grade Hardware
- Endpoint and Network Infrastructure Virus Protection
- Patching Updates for all Operating System Software
- End of Life Asset Management
- Business Disaster/Data Recovery
- Documentation: Policies, Standards, & Procedures
- Mobile Device Management
- Updated and Reviewed Documentation: Standards, Policies, and Procedures
Security/Compliance Specific Activities
- Security Risk Assessments (with risk management plan and gap remediation)
- Monthly Vulnerability Test
- Quarterly Penetration Testing
- Intrusion Detection, Monitoring, Threat Detection, and Remediation
- 3rd Party Vendor Risk Management
- Regular Cybersecurity Awareness Training
- Log File Management
Not every cybersecurity threat can or will be prevented, however if an organization can demonstrate that they have taken the appropriate measure to secure protected health information, then they will be in a far better place to survive this new era of threats. If you're trying to manage IT security and you find yourself in need of further assistance with ongoing IT management and security; the team at Mandry Technology has demonstrated effectiveness by having met the highest standards of security practices verified through SSAE18; of which only 5% of IT management companies in the world have been able to obtain.