Safeguarding Your Healthcare Organization From Cyberthreats
Risks associated with cybercrime are on the rise. Globally across industries, cybercrime is poised to cost a total of $5.2 trillion in lost value over a five-year span. According to Pratt's Privacy & Cybersecurity Law Report, more than 20 U.S. hospitals and healthcare organizations have reported their data being held hostage by ransomware during the pandemic. Federal agencies have predicted that hundreds more are at risk for cyberattacks. In fact, security experts describe the recent assault on the U.S. healthcare system as the most significant cybersecurity threat ever seen in our nation.
While state-of-the-art software and cybersecurity protections can mitigate cyberthreats, proactive security requires a sustainable, holistic strategy. It’s not enough to periodically sweep for threats. Everyone at your organization must be alert and prepared to report suspicious activity.
The more individuals work together to support safe cybersecurity practices, the stronger your organization will become. Here’s how to protect your healthcare organization from cybercrimes and threats.
Minimize the risk of cyberthreats by implementing basic cyber-hygiene practices, which are security practices that proactively promote the health of computers, other hardware and software, says Gina Sharp, Cybersecurity Lead at Booz Allen Hamilton and Chief Information Security Officer at the Black Cybersecurity Association. The process includes running vulnerability assessments, analyzing the results, determining threat levels and making suggestions for cybersecurity moving forward. Organizations like the Center for Internet Security provide baseline practices you can follow.
Educate the workforce on data that could be stolen and how a breach could affect them. With a baseline proficiency of how to comply with IT’s security standards, employees are more likely to buy into cybersecurity policies and practices, says Tarek Sadaawi, Director of the Center of Information Networking at The City College of New York. Policies might include protocols outlining what employees can or can’t post on their personal social media or rules regarding device and software updates.
Responsibility for maintaining cybersecurity can’t fall exclusively on security or IT. Everyone is responsible for safe practices. An employee might click on a suspicious link or fall prey to phishing, for instance, giving hackers a foothold inside your organizational systems. “The weakest point tends to be the users: us,” Sadaawi says. “Training and awareness should be happening at all different levels.”
If you want to combat cyberthreats, education is essential. “Train employees to see that this is for their personal protection,” Sharp says. “Allow employees to be part of the solution, not the problem.” Make sure employees know what to look for and that they can report suspicious emails to security. Cultivate a sense of openness around cybersecurity conversations. If an employee does click on a suspicious link, it’s much better to inform security and minimize the damage than to hide their actions for fear of repercussions.
Communication is vital to cybersecurity. Establish several lines of communication between major departments and stakeholders. IT and security, for instance, have to work together to protect your organization. Traditionally, these departments have been siloed, but an open line of communication helps both functions stay alert and react quickly to threats.
IT and security departments should also have a line of communication with leadership. “Many companies have an IT security professional in place so they can advise the board on threats and what they can be doing to manage them,” says Mary Ellen Seale, Founder and CEO at the National Cybersecurity Society. “Alert them that this is what we need to do as an organization.” Representatives can participate in leadership meetings to keep management informed and make suggestions regarding future actions.
Finally, broader communication with industry leaders outside of your organization lays the groundwork for more robust security practices. Consider joining an information sharing and analysis organization for your industry, Seale suggests. You’ll be alerted to industry-specific threats and be able to contribute to industry cybersecurity standards
You can’t cultivate cybersecurity and awareness from a silo. Everyone at your healthcare organization must understand the risks and follow best practices for mitigating those risks. When everyone understands their role in reporting and overcoming cyberthreats, your security efforts become much more robust and effective.