5 way to strengthen your health care cybersecurity
The good thing about cybersecurity is that no one cares about data from healthcare providers.
Oh wait a minute...
Even if you're worried about how to save your organization money, you're not focusing on one of the costliest issues the healthcare industry has faced in recent years: cybersecurity breaches. Estimates show that each breach costs providers over $400 per patient. And 2018 has been the year so far to expose healthcare data. In April alone, the breach affected nearly 900,000 people.
And that's exactly what was reported.
But IT – especially cyber security – is not your department. Why should you make it your problem? The answer is simple: because the next violation may be your fault. That doesn't mean we're harsh; it's just a fact. Incidents originating from hackers are in the minority.
Most violations come from carelessness or simple mistakes.
So what can you do to prevent data breaches in your organization?
1. Access control
Just as important as how individuals access your system is who accesses it. We hope you wouldn't let any old patient walk the corridors freely from the ER. (Though we all know there are still hospitals where you can walk straight from the front door to the operating room without once showing your badge or turning a key.)
So make sure that individuals who have access to your areas should. This may seem obvious, but just imagine how many places your keys can take you. Are there computers or tablets in these rooms?
And that's just the most basic form of access. At the cybersecurity level, different people should have access to different types of provider and patient records. And each of these levels of access should be password protected.
Now think about your co-workers. You probably know one of their passwords. How many people know yours?
Speaking of…
2. Create strong passwords
Every website has different (annoying) requirements for their passwords. Capitalization, lowercase, punctuation—but not that punctuation—and so on. This is probably why you have several variations of the same password that you use everywhere.
Doesn't that make it easier for someone with access to your password in one place, anywhere to guess it?
Do you know who uses the same password for everything? Manufacturers. Everything they supply that requires a password starts with a default setting. So what happens if a hacker can figure out the default password for, say, an Internet-connected MRI machine? This hacker can enter any MRI machine connected to the internet.
Unless the hospital changed the password from the default password once the machine was acquired.
Seriously, change your passwords. (And no, P4ssw0rD123 is not a safe choice.)
3. Understand what you have
Speaking of internet-connected devices, what do you know about the Internet of Things? Every device in your hospitals that connects to the Internet must be secure.
And notice we didn't say "every piece of equipment you brought into your hospitals." Every laptop and iPad—even every Internet-connected pacemaker—that walks through your door opens you up to hacking opportunities.
Make sure you have your own passwords and network connections for all devices connected to the Internet, and monitor what users are doing on those connections.
4. Update your technology
This one is pretty straightforward. The older the system, the more vulnerable it is. Technology from a year ago has fewer safeguards than something released today, and the further back you go, the more time hackers have had to figure out how to penetrate those defenses.
In the 1980s, there was a documentary about a teenager who almost started World War 3 on a relatively primitive computer. Imagine what today's hackers could do on these old systems.
(Okay, maybe it wasn't a documentary. But we stand by it.)
5. Prepare for the worst
Something bad is going to happen. Sorry, it just will. What you need to do once a breach is discovered - whether it was a thief walking out of a hospital with a laptop or an employee accessing patient records on McDonald's wifi (please, please don't use unsecured networks for business) - the breach needs to be reported.
Your organization needs a plan to deal with breaches. And that's not entirely on your shoulders. Discuss this with IT, the people you report to, and the people who report to you. Learn how to best deal with a breach and what steps to take from there.
The wrong people getting your company's information—or your patients'—don't have to be your fault. But if you don't take steps to strengthen your cybersecurity, it will.