I recently posted about Ten Best Practices to Mitigate Cybersecurity Threats that came from recommendations by the Health and Human Services publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” That document addresses five cyber threats, with ten best practices for small to large healthcare organizations.
These recommendations came from the efforts by the CSA Task Group charged with drafting this publication, and in reflecting on this work, I am drawn to a sobering quote within the document by one of the task group participants,
“I entered into the health care field with a mission to protect and care for patients. This mission now includes cybersecurity.”
Over my own healthcare career, I’ve known many outstanding doctors, nurses, and medical technicians who have given their life to patient care and the mantra of do no harm.
Now, unfortunately that also has to include cybersecurity, because it is now every healthcare worker’s responsibility. And for the IT staff of every healthcare organization, you are just as responsible for patient safety and to do no harm.
The Executive Summary of the document is titled; Call to Action: Cybersecurity a Priority for Patient Safety. If you are reading this blog, then perhaps you already have an awareness and desire to act. If you are casually reading and don’t sense the urgency, I implore you to take action!
Patient safety is at stake, and the target falls squarely in our area of responsibility — Information Technology. IT leaders from CIOs, CISOs, IT Directors and Managers must continually educate themselves so they can be the cybersecurity champion for their health system.
But before you can be a champion, you need to be a Subject Matter Expert (SME). Every healthcare organization needs a SME in cybersecurity.
Some questions to ask yourself to improve your organization's cybersecurity expertise:
- Are you that person in your organization? If not, then who is?
- Are you communicating to your leadership and educating employees on safe cybersecurity practices?
- Do you know where to turn for additional help or guidance?
- Are you budgeting for and deploying tools to protect your patient’s data?
- Are you proactively trying to fight this cyber battle, or reactive to each attack or threat or even breach?
- Do you know your organization’s strengths and weaknesses around cybersecurity – your gaps?
The cybersecurity challenge we face in healthcare is real, and it will not diminish over time. All one needs to do is look at our industry news sites to see the increase of cyber crimes and the devastation it causes.
Policies, procedures and tools used today may not guarantee success tomorrow, so we must all be constantly learning and applying new tactics. The strategy must be dynamic and that requires key leaders to become well informed and remain well informed!
Here are some things that you can do now to move your strategy forward:
- Start by knowing what the law says – read up on CSA Section 405.
- Take your vendors to task over their security measures (and remember if they are a Business Associate, you are responsible for their policies and procedures around your data.)
- Develop a cybersecurity strategy in your organization and fund it. You do not have to break the bank to start putting solutions and procedures in place.
- Work with your key vendors or look within the industry to find experts and solutions to assist your strategy.
- Assess your potential points of failure – like remote access, email phishing or vendor risks and start there with your tools, policies, and procedures.
For an easy way to quickly assess your remote access gaps, you can take this Vulnerability Assessment.
It’s a fact that the aftermath of a cyber attack leaves health systems crippled. And let’s not forget the patients at risk from a cybersecurity incident! Become the cybersecurity SME in your organization by being informed and involved in the solution. Let’s all strive to make an impact on cybersecurity in 2019.
If this information has your head spinning, you are welcome to schedule a meeting with me to discuss securing remote access to your network.