Servers and storage are a primary focus for one hospital’s support upgrades.
Introducing security tools is just one step in ensuring a layered approach — a strategy that builds in several levels of protection, one on top of another — when mitigating everyday cyberattacks. While a strong technology defense is important when building up a cybersecurity infrastructure, making sure there are complementary personnel processes in place is paramount for keeping patient records protected.
Here are a few tips on everyday processes that can keep your healthcare organization’s network safe.
According to the Healthcare Information and Management Systems Society (HIMSS) 2016 Cybersecurity Survey, 60 percent of healthcare boards of directors get security updates only as needed. Meredith Harper, chief information privacy and security officer at Henry Ford Health System in Detroit, says that healthcare organizations that want to improve their security posture should allow security leaders to regularly engage their boards — or at least the audit and compliance or risk committees.
“Organizations that don’t give that access are basically setting their security and privacy leaders up for failure because it’s not a priority,” she says.
Investing heavily in technology without prioritizing process and discipline is a surefire prescription for failure, says Mac McMillan, co-founder and CEO of CynergisTek.
“If everyone doesn’t fully understand how security systems are going to be administered, hardened and patched, and how change and configuration management is to take place, then when you add more advanced systems like detection and analytics, you’re going to detect a lot of false positives and management failures, and you won’t be as effective in analyzing what the threat really is,” he says.
IT teams must develop a solid contingency plan for an attack so overwhelming that the only way to regain control is to shut down the network, says McMillan.
“That’s a really tough call to make if you haven’t even thought about it ahead of time,” he says. “So don’t wait until you have an emergency. Make sure you know who has the authority to make the decision. Make sure people understand what they’re doing and how the plan is going to get communicated to the leadership and the staff. And then practice that emergency response on a regular basis.”