Prioritizing cybersecurity: Seven steps healthcare organizations can take to help protect patient data

Although it’s a new frontier for many healthcare organizations, cybersecurity must be a serious and urgent priority for providers as they seek to protect their data, systems and networks from unauthorized and malevolent users. Healthcare providers must embrace and leverage the operational efficiencies, cost and waste reduction, and improved patient outcomes afforded by modern technology and innovations without fear of cyberthreats. The only way to ensure that is by establishing and maintaining a comprehensive cybersecurity strategy to combat these attacks.

Here are seven practical steps healthcare organizations can follow to build a robust cybersecurity platform:

1. Conduct a risk assessment

There is no such thing as a one-size-fits-all cybersecurity solution that will protect every organization indefinitely. A successful strategy requires a custom, multi-pronged approach, starting with a holistic risk assessment to understand exposure and pinpoint vulnerabilities. The goal is to identify all the potential entry points that hackers could exploit to carry out an attack.

Questions to ask during the risk assessment include:

• Where is encryption used?
• Are user roles employed effectively to limit access to sensitive information?
• What third-party technology and solutions are in use that could provide cybercriminals access to essential systems?

2. Build a defensive toolkit

Based on what was learned in the risk assessment, organizations should develop a toolkit of traditional defenses, like encryption and firewalls, that will serve as the foundation for more advanced solutions. Cyber attackers are becoming more sophisticated, leveraging automation and artificial intelligence (AI) technologies to find, create, and exploit entry points into a system or network. An effective defensive toolkit will “fight fire with fire” — using the same tools hackers use — defend against attacks and eliminate vulnerabilities.

3. Prevent and prepare

Unfortunately, the biggest vulnerability in any organization is its people. Sophisticated cyberattacks often begin with a barrage of simple phishing emails that aim to get an employee to share sensitive information like a password, account number or login. These attacks often target lower-level workers who may be less savvy about cyberthreats and less likely to alert managers or authorities if they fall victim to an attack.

Organization-wide education, preparation, and planning are essential, and cyberthreat training must be standard in all employee onboarding. Training of new and current workers should include how to recognize the signs of a “successful” breach, reassurances that the employee won’t face consequences for reporting a breach, and steps to take right away to alert colleagues and mitigate the damage and spread of the attack.  

4. Take advantage of free resources

Large institutions have internal teams that can respond to these threats, but smaller healthcare providers with limited resources may be more exposed. However, leveraging the right tools is enough to build a defensive platform. Even small institutions that lack the ability to change policies or afford a robust IT team can access resources and technology to protect themselves.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), for example, offers a free online toolkit and resources for organizations in the healthcare and public health sector. In addition, the Department of Health and Human Services (HHS) administers the HHS 405(d) Program to align security practices across the healthcare industry. The program provides tools, documents and educational resources aimed at improving cyber hygiene — practices and habits that promote good cybersecurity — within organizations large and small.

5. Prioritize HIPAA compliance

Healthcare consumers have an expectation that their personal information won’t be misused by providers, and in 1996, the federal government enshrined that expectation into law with the Health Insurance Portability and Accountability Act (HIPAA). The legislation spells out patient rights and the stiff civil and criminal penalties individuals and organizations can face for violating them. For this reason, a healthcare organization’s cybersecurity strategy must not only align with its own needs, but with the requirements laid out by HIPAA, as well.

Education is an essential part of the strategy. Informational seminars are the best opportunity to teach healthcare organizations about the interdependence between cybersecurity and HIPAA. Understanding how all these components, from the technology to the regulatory side, work together is an important educational tool that encourages providers to invest in programs and policies that proactively combat threats and increase security.

6. Leverage third-party experts

Implementing the steps above will undoubtedly make a healthcare provider’s staff, patients, equipment and records more secure. But the unfortunate reality is that cybercriminals will never stop trying to bypass the security measures their targets put in place. That’s why healthcare organizations should consider partnering with a specialist cybersecurity consultant and technology provider whose job is to stay up to date on the latest cyberthreat tools and techniques, and continuously update their clients’ platforms accordingly. These experts can also help organizations establish a defensive program and respond to attacks when they happen.

7. Caring for the patient and their personal information

For healthcare organizations today, providing “quality care” means caring for the patient and their personal information. Unfortunately, cybercrime is constantly evolving, so the tactics and tools providers use to thwart attacks must evolve. The stakes in this constant battle couldn’t be higher: as recent attacks have proven, cybercriminals don’t care about the health and safety of individuals working in or being treated by the facilities they target.

Cybersecurity is a life-or-death issue for healthcare providers, and organizations need to treat it as such and make establishing and maintaining a cybersecurity strategy a top priority. The good news is that, with a methodical and strategic approach and a little outside help, any organization can improve their cybersecurity and become better prepared to respond to attacks.
 

For more information, contact an expert:

Agapito “Aga” Morgan, Commercial Healthcare Leader, KeyBank
Send an email

Yaminah Sattarian, SVP and Group Lead of Healthcare Payments, KeyBank
Send an email