By FHP on Dec 4, 2017 1:15:36 PM
In our Internet-connected world, reports of major data breaches and cyber-attacks affecting large organizations are becoming increasingly commonplace. And although cyber-attacks are occurring more frequently across nearly all industries, the healthcare industry is of particular interest to cyber criminals thanks to the large amounts of sensitive, electronically stored information found on EHR and billing systems and healthcare computer networks.
ITEMS COVERED IN THIS ARTICLE:
- Cybersecurity awareness and training
- Password security
- Device security
THE WEAKEST LINK:
Most healthcare organizations have taken steps to reduce their risks and protect themselves against cyber-attacks by using advanced monitoring software, penetration testing, network security, information backups and other high-tech cybersecurity measures. However, many healthcare organizations are forgetting to address their weakest IT link: their employees.
According to the 2016-17 Global Information Security Survey conducted by EY, 73 percent of respondents were “concerned about poor user awareness and behavior around mobile devices.” In the healthcare environment, “poor user awareness and behavior” can translate into disastrous mistakes that put the highly sensitive personal information of patients at risk, damage the organization’s reputation and cost thousands—if not millions—of dollars.
And the thought of all that sensitive data accessed each day by employees—combined with the threat of increasingly sophisticated SQL injection attacks, phishing schemes and malware, such as viruses or ransomware—is enough to keep even the most conscientious healthcare IT administrator awake at night. Fortunately, there are a few low-tech, easy-to-implement ways to shore up cybersecurity, improve staff awareness and reduce your organization’s risk of cyber-attack:
1. Cybersecurity awareness and training
Cybersecurity awareness training is a great way to communicate your organization’s cybersecurity policies to your staff. It also is an ideal time to answer staff questions, introduce new initiatives and discuss topics such as mobile device management, data storage, encryption, incident response plans, reporting of suspicious incidents and the latest cybersecurity threats.
But cybersecurity awareness training is about more than just sharing information and boosting awareness. Providing periodic, mandatory cybersecurity awareness training creates a pro-cybersecurity culture and communicates the message that your healthcare organization is serious about protecting patient information.
You should conduct mandatory cybersecurity training at least once a year, and all new staff members should be required to take the training within a month of hire. Many healthcare organizations also provide cybersecurity training in conjunction with technology upgrades or in response to a cybersecurity incident. Employees also should be required to sign a document affirming that they participated in the training and understand the policies—and compliance with those policies should be strictly enforced.
2. Password security
Your healthcare organization should have a robust password policy that conforms to industry guidelines, such as those issued by the National Institute of Standards and Technology (NIST)—and your password policy should be enforced using technology. Users should not be permitted to reuse the same password on multiple systems, share passwords or store the password anywhere other than an encrypted flash drive or password manager for which you have the encryption key.
Because many phishing schemes rely on emails from a fictitious “tech support” department asking for usernames and passwords, your organization should train staff members to never provide their password to anyone and to report suspicious emails or phone calls immediately. As password guidelines evolve and change to keep pace with the increasing sophistication of cyber criminals, you should be sure that your organization’s password policy changes, too.
3. Device security
Although mobile devices enable healthcare staff to provide more efficient in-room patient care and promote accurate, up-to-the minute recordkeeping from virtually any location, they also present cybersecurity challenges. In addition to configuring mobile devices securely, using authentication/encryption protocols and following other standard security recommendations, your IT staff should provide your healthcare team with physical security safeguards that reduce the chances of unauthorized access and prevent the device from being stolen.
Your organization’s policies should prohibit mobile devices—including tablets, laptops, smartphones and flash drives containing data—from being left unattended in public areas unless they are secured to a surface and properly logged off. A laptop cart with a lock, such as First Healthcare Products’ Four Post Laptop Cart, is a great way to combine portability, functionality and physical device security for laptops. Because it is especially important to maintain security of devices while they are charging, your organization may want to consider a locked cabinet that holds multiple devices, such as this Kensington charging
security cabinet from First Healthcare Products.
There also have been reports of data breaches caused by devices with confidential data being stolen from parked cars or forgotten in public places. Because your organization likely will not be able to completely mitigate these risks through policies and procedures that address physical device security, you might want to consider giving staff members “clean” devices that are free of confidential data for use outside your facility or when traveling.
Although cybersecurity is a growing concern for healthcare organizations, strong policies, comprehensive training and appropriate device-management tools can reduce your organization’s risk of an employee-related data breach. First Healthcare Products offers device security consulting support and several staff-friendly, easy-to-use device security
products to meet your cybersecurity needs. To find the perfect fit for you, contact one of our representatives at 1-800-854-8304.