Posted by: adelvecchio
cybersecurity, Data breach, data breach security, Risk assessment
As the number of cyberattacks against healthcare organizations grows, I’m often asked whether there is any one policy or behavior that is to blame for this situation. My answer is emphatically no; security is an area of concern that many people are just starting to become aware of, much less understand and implement good security controls for. As a result, many organizations and their staff don’t have a realistic sense of what good security is and what they need to protect.
Here are five tips for organizations to more easily and effectively implement healthcare security strategies.
Security must be viewed like a puzzle
If attackers get any one piece of the puzzle, they should not be able to figure out the whole picture. For example, if user credentials are stolen through phishing or a lost or stolen device, there should be another factor of authentication in place so the attackers are stopped from logging in. If an attacker does manage to log in, there should be network segregation and limited privilege such that he cannot pivot into more sensitive areas of the company, or into sensitive databases.
There is no such thing as a “warning sign” of a breach
If there is a sign that you’ve been breached, it’s already too late — the attacker has already gotten into your system. Some people cite the presence of vulnerabilities as a sign of danger, but in truth, all systems have vulnerabilities. That would be similar to saying, “a common attribute for breaches is that the affected companies all have staff who consume oxygen.” It’s not the vulnerabilities that cause attacks, it’s the absence of good security.
To err is human
The most educated humans still make mistakes. Even security gurus can accidentally double click when they’re not supposed to. That said, those who are not educated about what secure behavior entails will certainly make more mistakes, or they may deliberately circumvent security controls. While attackers don’t need to go through humans to get into improperly secured systems, it can be the easiest way. Security education is something that should be provided early and often.
Legacy machines can cause big problems
Perhaps one of the more surprising aspects for healthcare organizations is how many machines in their offices run outdated (and very soon-to-be unsupported) Windows versions. Many hospitals have medical devices that still run Windows XP, which leaves a gaping hole from a healthcare security perspective. While this is occasionally unavoidable, it should be limited wherever possible and extra security measures should be taken with those machines until they can be updated.
Risk assessment should be ongoing
With tight security budgets, legacy systems and the need for users to have access that’s both fast and secure, it’s important for healthcare organizations to be extra vigilant about planning security controls. The best way to do this is to perform ongoing risk assessments to be updated as new assets come online, or as processes change, rather than updating them periodically. If you’ve never done a risk assessment and want to know how to begin, the National Institute of Standards and Technology published a guide for conducting risk assessments.
In future installments, I’ll expand on some of these strategies to help healthcare organizations improve their security posture.