Close Menu
Cybersecurity

Improve your cybersecurity with important goals

Max SmithBy No Comments6 Mins Read


It seems like every week we read about another medical institution falling victim to a cyberattack. It doesn't matter if it's an urban or rural area, a large or small medical facility, a nursing home or a hospital. In the world of cybersecurity, you are the target.

According to new research, protected health information (PHI) sells for an average of $250 per record and can reach up to $1000 per record. We have now progressed from a “it won't happen to us” approach to a “when it happens to us” reality.

This leaves nursing homes wondering whether they are taking the necessary steps to best protect PHI and ensure their incident response (IR) plans are executable, tested, and thorough. maybe. This led to a discussion about how we would do it. should We protect PHI, but isn't an incident response plan the same as a disaster recovery plan?

In March 2023, the Department of Health and Human Services (HHS) released a concept paper on healthcare cybersecurity. In it, HHS explained its strategy by introducing four pillars designed to provide a framework for strengthening cybersecurity and awareness. Pillar:

  • Establish voluntary cybersecurity performance goals (CPGs)
  • Provide resources to encourage implementation of stronger cybersecurity protocols and practices
  • Develop new enforceable cybersecurity standards through increased regulatory enforcement and accountability
  • Expand and mature HHS' one-stop-shop services for healthcare cybersecurity

The voluntary CPG pillars are divided into two types of goals: mandatory goals and reinforcement goals. This discussion will focus on essential goals.

Although currently voluntary, mandatory goals set minimum standards for healthcare organizations to follow.

  • Mitigates known vulnerabilities. Continuous mitigation of known vulnerabilities reduces the threat of system exploitation.
    • This reduces the risk of zero-day vulnerabilities, as we saw across the healthcare industry last year. It also helps reduce the risk of easy infiltration by threat actors. It is important to keep your systems updated in a timely manner, especially legacy systems.
    • It is a best practice to have a policy in place with regular reviews and accountability to ensure ongoing and timely remediation of known vulnerabilities.
  • Email security: Protect your email account from unauthorized access.
    • Social engineering and email compromise are known attack vectors.
    • Labeling external emails as such is a cost-effective approach to reminding users to pay attention.
    • It's important to continually educate all staff on social engineering tactics and attempts such as thread jacking and business email compromise.
  • Multi-factor authentication (MFA): Adds a second layer of authentication beyond passwords.
    • Although not foolproof, MFA can stop the majority of attacks and help reduce risk.
    • It's also important to continually educate all staff about social engineering tactics and attempts (such as MFA fatigue).
  • Basic cybersecurity training: Ongoing educational training to ensure employees are aware of risks and practice safe behaviors.
    • As with all professional development, security awareness training is essential, especially around emerging threats like AI and deep fakes.
    • To be effective, professional development must be ongoing and integrated into the work.
    • There is also test fishing available to empirically demonstrate that your user base is improving.
  • Strong encryption: Protect sensitive information at rest and in transit.
    • Encryption is essential on both the sender and receiver end, as well as during transmission.
    • This blocks threat actors from accessing PHI and related sensitive sensitive information.
    • In addition to maintaining regular inspection and patching, it is important to carefully evaluate the vendors that provide these tools.
  • Revoke the credentials of departing employees, including employees, contractors, affiliates, and volunteers. Delete credentials for users who no longer need access to systems or applications.
    • Timely termination of previous employees who still have access, strengthening password management policies, and blocking password reuse are all important.
  • Basic incident planning and preparation: Develop and implement a plan in case a cyber incident is discovered. A disaster recovery plan is not an incident response plan.
    • Breaches are probably inevitable, but not all breaches are created equal.
    • Proper preparation can be the difference between something that causes long-term damage and something that can be quickly repaired in a crisis.
    • Executing an IR plan, developing an IR handbook, and practicing real-world simulations act like fire drills for school children to reduce risk.
  • Unique credentials: Make sure the right people have access to the right features they need to do their jobs.
  • Separate user and privileged accounts. Privileged accounts are created for users who need administrative rights to a network or application.
    • To avoid privilege escalation, it is important to employ zero trust practices and require additional verification for central administrator accounts.
    • These approaches can be implemented through network configuration and security layers with independent and additional validation requirements.
  • Vendor/Supplier Cybersecurity Requirements: Develop cybersecurity standards for your business partners and ensure compliance. Cyber ​​requirements may vary depending on the services procured.
    • Holding third-party vendors with the same management responsibilities as your own company clearly reduces risk and is a best practice. To make money in business, you need to invest in protecting your brand and your brand.

The value of PHI makes healthcare a top target for cyberattacks. However, other factors also come into play. This doesn't just protect his PHI data that resides on-premises in your network. Due to the nature of healthcare, her PHI must be shared between entities. This means data is moving around, creating a greater opportunity for attackers to exploit it.

Healthcare providers may also lack the technical and financial resources to respond to ever-changing cyber threats. Staffing shortages and a lack of cybersecurity training for all employees further compound the challenge of protecting PHI.

While CPGs are a good start, the responsibility ultimately rests with each healthcare provider to develop a thorough cyber strategy to protect PHI from ever-evolving and sophisticated cybercriminals.

David Mauro is Konica Minolta's National Manager of Cybersecurity and Compliance Services. He has a background in risk management and regulatory compliance, and has served as his CIO and managing director in private and public companies. David holds a Juris Doctorate from Loyola University.

Brian Nowak is a Healthcare Regional Account Executive for Konica Minolta. He has held senior management positions at Fortune 500 companies and has experience in business development, operations, and compliance. Brian earned his MBA in Finance from Loyola University.

opinions expressed in McKnight Long Term Care News Guest posts are by the author and not necessarily the author. McKnight Long Term Care News or its editor.

Have a column idea? See our submission guidelines here.



Source link

Share.

Related Posts

Add A Comment
Leave A Reply