The impact of the Change Healthcare cyber-attack followed in short order by the attack on Ascension is a key example. The latter is one of the largest health systems in the country, with 140 hospitals across 19 states. So, if it can get attacked, then every health system in the U.S. is at risk of suffering a devastating cyberattack,
Many were aware that Change Healthcare was the single point of failure for all payment processes yet, they did not implement a backup method, as it was deemed too expensive and time-consuming of a process. As Forest Gump so eloquently out it 30 years ago “Stupid is as stupid does”
Cybersecurity experts are recommending some changes to improve the healthcare industry’s defense posture such as the introduction of government-enforced minimum cybersecurity standards for providers and greater collaboration between healthcare organizations.
Cybercriminals across the globe continue to target healthcare organizations, exploiting any vulnerability they can. Healthcare entities are still struggling to protect themselves against these hackers, whose tactics are getting more sophisticated daily.
Below are three changes that MUST happen to strengthen the healthcare industry’s defense posture.
All healthcare employees need cybersecurity training
Internal human error is one of the most common factors that cause cyberattacks on enterprises across all industries.
Most attacks happen at the hands of an employee who simply made a mistake. These mistakes have detrimental impacts which is leading to a growing fear among staff members. In fact, according to a survey, some cybersecurity professionals say that they haven’t reported a breach due to fear of losing their jobs – https://www.linkedin.com/pulse/over-40-cyber-teams-encouraged-hide-breach-richard-freiberg-cpa-pc/
To address this problem, companies need to create an open-door policy in the workplace so employees feel empowered to talk about all risks that their organization may be facing,
Companies must also ensure that all employees understand how to recognize cybersecurity risks, as well as educate all workers on how to communicate or transport patients’ electronic health information properly. Employee cybersecurity training should be an ongoing, evolving process that is responsive to environmental and operational changes and is something we both recommend and can implement for YOU!
Healthcare companies need to assign clear job roles and descriptions and ensure it is communicated throughout the organization, Healthcare entities MUST ensure that workforce members are equipped with the necessary knowledge, skills, and abilities to fulfill roles and that these requirements are included as part of the personnel hiring process.
The government must establish minimum cybersecurity standards
The federal government has failed to set a minimum set of standards for cybersecurity protection across all industries which causes several issues. The first issue that arises is the mentality shift for organizations that are making hard choices when controls are a ‘should’ versus a ‘must’ implement, resource-strapped organizations may veer away from implementing them.
The lack of a strong government program leads to inconsistent security practices across the healthcare sector, making it easier for hackers to exploit vulnerabilities, and this is becoming even more of an issue as healthcare organizations become more interconnected and, in many cases, consolidate.
Organizations like the National Security Agency (NSA), Cybersecurity and Infrastructure Security Agency (CISA) and National Institute of Standards and Technology (NIST) have released cybersecurity guidelines and frameworks for healthcare organizations, but they haven’t been very effective.
While these guidelines provide helpful information, they have not established any firm standards, incentives, or accountability for organizations to proceed with implementing updated best practices. They are just recommendations meaning organizations can take or leave them.
As I have noted previously, the lack of consequences in the event of an attack allows healthcare organizations to gamble with their security and patient safety when they fail to implement best practices or appropriate back-up and data recovery methods.
We believe the number one thing that MUST change for healthcare cybersecurity to improve is the establishment of minimum, government-enforced cybersecurity standards specific to the healthcare industry along with incentives and resources to ensure healthcare organizations can successfully build and maintain their cybersecurity programs.
Real change will come when standards and initiatives are introduced alongside the means needed to achieve them. Budgeting is a routine issue for smaller healthcare providers as their leaders know that cyberattacks have dire privacy and financial consequences. When they’re forced to choose between an urgently needed MRI machine for their patients or a new cybersecurity product, they’ll choose the former.
Healthcare organizations should collaborate to address shared vulnerabilities
Cyberattacks entry points are vertically oriented. When a cyberattack occurs in the finance industry, stakeholders from all over the sector often collaborate to solve the issue as quickly as possible. The finance sector also works collaboratively in a proactive sense; banks all over the world have established networks where they regularly share new risks that are emerging and how to get ahead of them.
Yet in healthcare there doesn’t seem to be the same type of speedy, cooperative approach.
Healthcare providers that have been hacked should share details with other organizations throughout the sector so they can be aware of what to patch in their own systems.
Richard Freiberg
Profitability Consultant
Richard Freiberg CPA PC
Phone (980)339-3352
Cell (914)393-0033
www.rmfreibergcpa.com
LinkedIn
to subscribe to Cyber Insights Today
to subscribe to LinkedIn Newsletter Cyber Security
Providing valuable counsel to help boost your company’s bottom line, while navigating competitive forces, industry, and economic risks in today’s challenging environment
|
1 thought on “The 3 things that MUST change to improve healthcare cybersecurity”
Healthcare need better protection! Crazy how vulnerable it is.