The headline of this recent Security Magazine article succinctly sums up the seriousness of the new threats facing healthcare IT organizations everywhere: “Healthcare Industry Spending More on Security But Not Ready for Cyber Attack.”
The 2015 KPMG Healthcare Cybersecurity Survey found that only 66% of executives at health plans, and 53% of healthcare providers, believed they were prepared to handle an attempted hack.
So here are a few suggestions we offer to help your healthcare organization defend your network and ePHI against the increasing threat of cyber attacks. This is not a complete list, of course, but implementing these best practices can go a long way toward hardening your company’s data defenses against cyber criminals.
1. Implement a Comprehensive, Multi-layered Cyber Security Process.
In a previous blog post, Six ‘Back-to-Basics’ Tips for Protecting ePHI in 2016, we outlined a multi-pronged approach to securing your network based on a model developed by the SANS Institute for Information Security Training and Research. These six coordinated steps, sometimes called Defensive Walls, involve creating multiple layers of security around your digital assets.
The SANS Security Model is a well-respected resource because it calls into play so many complementary systems and protocols — blocking attacks first at the network level and, if a hacker slips through that defense, blocking the attack at the host level; using centrally managed patch management, along with anti-malware and antivirus management, data loss prevention; and other systems to spot and eliminate security vulnerabilities and spot nefarious software infections.
Discover more in our blog post for these six steps from SANS on protecting your company’s ePHI.
2. Train Staff Regularly on Cyber Security Awareness.
When the Healthcare Information and Management Systems Society (HIMSS) conducted a survey in 2015 of 300 healthcare IT professionals, it found that the single biggest cause of data security incidents was a negligent insider.
According to the report — the 2015 HIMSS Cybersecurity Survey — these healthcare IT pros were most worried about such attacks as phishing, and the fact that their negligent insiders might be vulnerable to them.
For this reason, we highly recommend a robust data-security training program for all of your staff, specifically addressing human vulnerability and susceptibility to attacks like spear phishing, and that you should continually look out for new tools to improve your training and new threats to warn your employees about.
3. Regularly Test Your Cyber Defenses
Two-thirds of the IT professionals polled in the HIMSS Cybersecurity Survey reported that their healthcare companies had suffered a “significant security incident” in the recent past. Yet just 12% reported that their organizations had performed any cyber-defense exercises.
With your company’s ePHI and other sensitive or proprietary data now spread across so many platforms, cloud applications, locations and employee devices, it can be difficult to identify all of the potential weaknesses or failure points that a cyber criminal might be able to exploit. This is why it’s a good best practice to conduct penetration testing and mock cyber-defense exercises, and otherwise regularly look for vulnerabilities across your network.
4. Upgrade Your Fax Infrastructure to a Secure Cloud Fax Solution
eFax Secure is a smart approach to protecting the security, confidentiality and integrity of ePHI that you transmit by fax to business associates.