The pursuit of absolute cybersecurity is a never-ending, constantly evolving challenge, and few industries are more at risk than healthcare.
Over the past 10 years, the landscape of cybersecurity threats has changed dramatically. The attacks we are monitoring today no longer come from rebellious individuals looking to make statements in the hopes of disrupting our lives. Rather, they come from sophisticated actors hoping to take down entire companies or networks and to profit from it.
In 2020, at least 560 healthcare facilities were impacted by 80 separate cybersecurity attacks, according to Emisoft, and healthcare was ranked as the second most frequently targeted industry by multiple studies. All of this means it is more important than ever to adopt best practices and procedures designed to increase your organization’s ability to identify and block attack ransomware and other cybersecurity threats.
How much security is enough security? That depends on your data assets, whether it is being transmitted and whether or not your organization is a high value target. Given the high value of healthcare data and its attractiveness to hacker groups, large hospitals and their software partners must take the necessary actions to guarantee its protection and ensure operational integrity.
Conducting smart risk assessments and understanding how valuable an organization is as a target helps to determine the level of security that is necessary. Here are five best practices Prodigo Solutions recommends healthcare systems seek from its data service providers:
Encryption and multi-factor authentication: Data encryption and multi-factor authentication are no longer optional. In healthcare, these are the baseline for an effective cyber security strategy.
Conduct weekly security scans: At least once a week, conduct a scan of your network to understand the types of attacks and the volume of attempts. Although not common practice, it’s important to understand your risk vectors so you can implement adequate protection.
Consider Single Sign-On (SSO): SSO is an authentication method that allows users to access multiple domains and applications using a single set of login credentials. There are several mechanisms for SSO, including the use of smart cards and other industry security protocols. In simple terms, when a user signs in to an SSO service, the service creates encrypted authentication tokens for the user that creates a solid defense against several attack vectors such as phishing (a form of a man-in-the-middle attack). Prodigo, a FedRamp certified organization, is adept at integrating with several SSO backoffice infrastructures and has observed a rapid trend towards the adoption of SSO services across the healthcare industry.
Conduct an annual failover exercise: Failover is the ability to switch automatically to a reliable backup system with the same security posture when a component or primary system fails due to a cyberattack or other disaster. A standby database, system, server, or other hardware components or networking must always stand ready to automatically switch into action. You must test your Disaster Recovery Plan to ensure that the backup system can handle all regular operations without any loss of data or added security risk. Ideally, this test should last several days. At Prodigo, we conduct this test for two weeks every year.
Keep client data partitioned: We recommend that third-party providers partition data in private exchanges – not co-mingled or housed on a single exchange which represents a single point of failure. That way, if one environment is breached, it can quickly be isolated – minimizing the impact to other environments and mitigating the threat.
Cybersecurity threats constantly change and evolve. Regardless of an organization’s preparedness today, you can rest assured they will be inadequate at some point in the future. It is critical, to have partners in your supply chain with high-level expertise, who understand the changing landscape of security while remembering that your security risk level correlates directly to the weakest link in the chain.
We recognize that all these recommendations require time and expertise and cost money – and that’s exactly the point. It is difficult to put a dollar value on all the steps that must be taken every day to keep healthcare data safe. These preventative investments pale in comparison to the actual costs of data loss, the risk to your reputation and the legal ramifications in cases where you did not do enough to protect your assets.