My three earlier posts in this series paint a pretty bleak picture of the healthcare industry: Despite the wide variety of compliance regulations on the books around the world, healthcare organizations remain particularly vulnerable to cyber attacks, and those attacks often have serious ramifications for both patients and the organization involved.
But wait! I have one more post to add. Today, I’ll reveal seven best practices that healthcare organizations are starting to implement that help them become far more resilient to cyber attacks, so they can prevent data breaches and avoid ever having to make a deal with the ransomware devil.
1. Get everyone on board.
Healthcare IT teams need to be on the front lines, but they can’t do it alone; healthcare cybersecurity needs to be a priority across the organization. In particular, the C-suite and board of directors play a vital role in setting the tone and culture of an organization, including its seriousness about healthcare data security. And of course, their support is critical to securing the necessary budget and headcount.
2. Assess your security posture.
Perform a comprehensive and enterprise-wide assessment of your current healthcare data management and security tools processes. To get started, use my earlier blog post to help identify the ways in which your organization is particularly vulnerable to cyber attacks, such as medical devices with unpatched operating systems and shared credentials. Also determine which compliance regulations and requirements you are subject to.
3. Develop an actionable cyber security strategy.
Develop thorough and detailed policies for improving your security posture, engaging external specialists if necessary. Make sure the governance measures you put in place enable you to achieve and prove compliance with HIPAA, HITECH, GDPR and any other applicable mandates. Here are some of the most important best practices to include:
- Migrate and consolidate systems as needed to reduce complexity and facilitate strong security practices.
- Specify which communication and collaboration systems are appropriately protected and therefore approved for use (and which are not). Consider using a whitelisting approach to maximize control.
- Keep systems up to date.
- Take regular backups and test them.
- Create policies governing the use of personal devices to connect to the healthcare network (BYOD). Best practices include enforcing security updates before giving access, requiring multifactor authentication, and ensuring IT can remotely wipe lost or stolen devices.
- Limit the reach of ransomware by enforcing the least-privilege principle.
- Encrypt all sensitive or confidential data in transit, in use and at rest.
- Tighten password policies to help prevent attackers from using stolen valid credentials, and avoid shared credentials.
- Ensure you can quickly revoke access to all healthcare systems when terminating an employee.
4. Perform cyber security awareness training regularly.
Written policies are a good start, but to truly improve data protection in healthcare, you need to ensure they become part of each user’s everyday practices. Security awareness training offers a structured approach for educating the workforce on current threats, red flags to look for in an email message or web link, how to avoid infection, and what to do in the case of an active exploit. Be sure to educate senior executives about whaling (CEO fraud). And remember that security training isn’t a one-off event; HIPAA requires ongoing security awareness training for a good reason.
5. Keep your eyes open.
Maintain strong hybrid Active Directory security and governance by continually assessing permissions, actively watching for suspicious behavior, quickly investigating incidents and immediately remediating unauthorized actions. Seeding your network with fake patient data can give early warning of the presence of malicious users or advanced persistent threats, and user behavior modeling can alert you to users who are starting to exhibit rogue behavior.
6. Automate your business continuity plan and test it.
Minimize your recovery time objective (RTO) by automating Active Directory forest recovery and other business continuity measures. Regularly test your ability to spot an attack, contain it and recover from its effects.
7. Invest in the right tools.
Strategies, policies, training and preparedness are essential aspects of a strong cyber security defense, but these human structures rely on having the right cyber security technologies in place. Quest has a long history of helping healthcare providers, hospitals and insurers migrate, consolidate, secure and manage critical IT systems like Active Directory (AD), Exchange and Office 365. See how our healthcare software solutions can help you keep health records safe, maintain compliance and reduce disruption of care.
Following these seven best practices will help you keep sensitive healthcare data safe and pass audits with far less effort and stress. For more information, be sure to read our white paper, “Protecting Data in the Healthcare Industry,” which explains:
- The various regulations and requirements that healthcare firms must comply with
- The realities and trends that are increasing the risk for healthcare organizations
- How data breaches impact healthcare organizations
- Best practices for cyber security defenses