Everyone in healthcare is thinking about how to appropriately address healthcare cybersecurity in their organization. This should come as no surprise considering the barrage of malware, spyware, and ransomware attacks that have hit healthcare and the world at large. According to the HHS Breach Portal (more commonly known as the HHS Wall of Shame), in just the first 16 days of 2019, we’ve had eight breaches with 156,505 individuals affected. Worth noting that these are just the breaches we know about. Who knows how many more breaches have occurred that we just don’t know about.
Despite these concerning facts, there are steps healthcare organizations can take to help prevent non-obvious cybersecurity threats from causing severe damage.
Implement effective governance
Many organizations do not have effective governance and policies for their database admins who have direct access to their health IT systems. Your health IT software’s security has no effect if someone can just access the data directly in the database. Plus, direct database access often leaves no log of what was accessed and who accessed it.
Manage and monitor user access
Another challenging security hole is reviewing inappropriate data access by an authorized user. Just because a person has permission to access all medical records, does not mean they should access certain records. This is a challenging problem to track since the user has the appropriate permissions to see the information even if accessing that data was not needed for them to provide care. This generally happens when someone wants to access a famous person’s medical record or the record of someone they know personally. Companies are working on AI and machine learning powered systems to discover this type of inappropriate activity so it can be addressed.
Make sure BAs secure your health data
Also, be sure to check with all of your business associates (BAs) to ensure that they are securing your health data appropriately. Many healthcare organizations spend so much time securing their own systems and network that they forget about their business associates. In most cases, you have so many business associates that you are going to need to prioritize which ones you review and how deeply you review them. However, this is an important effort to keep your organization secure. Plus, you will find out a lot about your vendor’s security posture and capabilities once you start asking some hard questions.
Identify your blind spots
Finally, every healthcare organization has individual blind spots. Over time, we all become blind to our security posture. That is a natural part of familiarity. In order to discover your own individual blind spots, it is important to have fresh eyes look at your cybersecurity efforts. Using an outside consultant or security expert will often discover security threats that are obvious once they are pointed out, but are non-obvious to those who have seen them every day.
Your healthcare cybersecurity efforts are extremely important to the success and the reputation of your organization. While you may have all the obvious cybersecurity efforts under way, take a minute to look at the non-obvious cybersecurity threats listed above. Plus, if you slow down and consider your security posture, you will likely find more. An ounce of effort to secure these non-obvious threats is much better than dealing with a breach that could have been prevented.