10 steps to help create a cybersecurity culture in healthcare

Consider these best practices for end-to-end healthcare security

by Steven Mitchell, Vice President of Global Business, AT&T Healthcare Solutions

According to a 2016 annual survey by Modern Healthcare, 81 percent of healthcare CEOs expected cybersecurity threats against their organizations to increase in the coming year.

Most of those CEOs planned “considerable” or “some” budget increases to combat those threats. But money, scarce as it is, won’t reduce vulnerabilities on its own.

Leadership from the top is a critical factor if security investments are to truly reduce risks. Executives interviewed for a 2017 healthcare cybersecurity handbook for CEOs all agreed that, for security to become an urgent priority among doctors and staff, leaders must demonstrate that urgency from the top.

An end-to-end security approach must be implemented and then publicly championed by both the board and executive leadership. When that happens, “It rolls downhill very well and people across the hospital are willing to listen,” says Garden City Hospital’s Christopher Allman.

Rich Miller, President and CEO of Marlton, N.J.-based Virtua, agrees.

“We have 9,000 employees. In an organization this size, the journey to cybersecurity has to start with the CEO. I can’t be afraid to go out and discuss the issue with employees and physiciansm,” says Miller.

In tight economic times, nothing says you’re serious like a significant and touted reallocation of budget.“The way you allocate resources is an indication of what your belief system is,” says Ronald A. Paulus, MD, the physician-CEO at Mission Health.

Hospitals have had more than a century to develop and implement, with their physicians and staff, the basic protocols to prevent the spread of germs. Now, they face a different sort of dangerous infection. They’re operating in a cyberhot zone.

Doctors can be trained for this sort of battle, but need to understand the pervasive nature of the threat. From understanding, training, investment and leadership come effective change.

To help create a culture of cybersecurity, healthcare organizations should consider the following steps:

1. Conduct a holistic third-party audit 

First, understand the system you’re protecting, and expose its vulnerabilities. This requires an independently drawn picture of your security state, including devices, permissions, network architecture and security practices. This is required for HIPAA compliance, but HIPAA compliance – designed to protect privacy – isn’t enough.

2. Use your tools

As one CEO put it, hospitals are basically information systems. Every intelligent device will eventually become connected, so use your network and security tools (routers, switches, firewalls, anti-malware, etc.) to quickly identify attacks, control data flow, and mitigate and control disruptions.

3. Protect your endpoints

From phones to laptops to desktops to connected medical devices, everything must be included in a defense plan.

4. Structure and segregate your data access

Implement robust encryption and authentication technology and protocols, and isolate medical devices, which may use outdated OS or security technology.

5. Deploy user-behavior analytics

Is a doctor – at the hospital yesterday – trying to access data from Russia today? It may not be the doctor.

6. Analyze inbound and outbound traffic

Data can identify and stop attacks whose fingerprints have been identified elsewhere. A global analytics model helps find threats that are directed toward, or even coming from, your hospital.

7. Test the system regularly for vulnerabilities

This includes mock phishing exercises, penetration testing, social engineering, vulnerability scanning and other proactive tests.

8. Train your people

A strong security culture starts at the top. Training must be systematic and relevant. Make it a repeating fact of work life.

9. Manage your vendors and associates

They can be a key weak point, and you may be liable.

10. Create your breach response plan

Statistics say your network will be – or has been – breached. Actions taken after identifying the breach determine and limit the extent of the harm.