The topic of security is on the minds of most healthcare IT professionals today. Securing remote access to your hospital's network is the deadbolt that helps protect your data. Most people don't leave their backdoor wide open, or expect that little doorknob lock to be secure, so why do most hospitals do the equivalent with their networks?
I am new to Iatric Systems, but not new to the world of healthcare IT, as I have served as CIO for 18 years in both ambulatory and acute environments. There aren’t too many healthcare IT challenges that I haven’t seen and tried to solve. Now, I am excited to be talking to hospitals about the very important topic of managing partner risk, and securing remote access.
You likely see the headlines daily, just like I do, of hospitals that have been hacked or have been a victim of a ransomware attack. I know that the topic of security is top of mind for most CIOs and CISOs, yet, there are so many competing priorities, and the squeaky wheel usually gets the attention. While cybersecurity initiatives around remote access and defending our data are important, those other priorities tend to displace those remote access security concerns, until something happens.
If the above paragraph describes you…you are not alone! ECRI Institute’s annual “Top 10 Health Technology Hazards for 2019” named Remote Access System Hacking as the number one health technology hazard for 2019.
Hackers and other unwanted guests can easily gain access to hospital networks through remote access provisions where they can steal valuable data, introduce viruses, demand ransom, and even shut down hospital systems. In addition, negligent business partners that don’t adhere to proper security protocols also put hospitals’ network at risk.
Without providing secure and reliable access and avoiding a hacking situation, clinicians may not be able to care for patients appropriately, or even worse, may not be able to administer effective emergency care. Either outcome adversely affects public trust in the organization.
For years hospitals have focused on internal threats to patient privacy, and have installed robust systems to catch internal incidents such as employee snooping or medical identity theft. Now it’s time to strengthen the efforts around external threats, specifically by taking control of remote access and putting the appropriate controls in place to keep hackers out of your network.
So, where do you begin?
Here are some questions that you can ask yourself, to get you started on the right path.
1. Is your current process for secure remote access working effectively? And does the current process use some type of rules-based engine to determine the criteria for remote access?
You first need to assess your current security plan, and determine where you have gaps. Consider the strength and weaknesses of your human processes.
- What security challenges are you having with your current remote access process for vendors, remote employees and affiliate offices?
- How are you checking the security of employees accessing your network remotely?
- How do your current security measures protect you from hackers?
- How do you manage remote access when staff from affiliate offices are terminated?
- Do you get proper staff notification to block them from accessing your network remotely?
2. How can you take control of how vendors access your network?
Most CIOs tell me that their vendors tell them the criteria they require to connect to the hospital’s network. This creates many different avenues in how your vendors connect, and this can be very difficult to manage. To ensure security of your network, you need to take this control back and tell your vendors your requirements for connecting and gaining access to your network.
- Who is in charge of how your vendors access your network? You, or your vendors?
- How many different methods of remote access do you allow?
- How do you validate that your vendors are meeting your security standards?
- How does your vendor manage their users? Are they all using one generic account (yes, some vendors still do this today)?
Secure remote access is a topic that I am passionate about. Your patients are relying on you to protect their patient data from hackers, and it’s the last thing anyone wants to worry about when you are trying to administer care for these patients.
Here’s a quick Assessment that includes some of these points to quickly tell you if you have major gaps in your remote access security plan. Contact me if you would like to discuss your situation in detail and I can share what others are doing to get a handle on their secure remote access.