Needless to say, healthcare CIOs and their CISOs are in really challenging positions when it comes to healthcare cybersecurity.
However, the good news is that most healthcare organizations are finally getting their hands around the obvious security efforts. For example, pretty much every healthcare organization has invested in a firewall, anti-virus, and web filtering. I cannot imagine any organization having a health IT system that does not have appropriate encryption. If you are not doing this already, then you better start doing it today.
The other good sign is that most healthcare leaders have come to realize that technology is not all that is needed to ensure your organization is secure. If you do not make sure the people in your organization are well trained, then all the technology in the world will not help you against things like phishing attacks. Most organizations have implemented cybersecurity training for their employees along with simple tech options like providing email warnings for potentially harmful attachments or emails that come from outside of the organization. Plus, many organizations are doing their own internal phishing efforts as a way to train their employees on phishing breaches.
While this is all good news, there are a lot of non-obvious breach threats that have not been addressed by most organizations. In most cases, we are not talking about incompetence. Instead, many of these non-obvious threats are things that healthcare organizations have just forgotten about or they have not taken the time to address yet.
Let’s look at a few examples of non-obvious cybersecurity threats many healthcare organizations face.
The first threat that many people forget about is old user accounts. Turns out that most healthcare organizations are on top of deactivating accounts when they are on major systems and the person is a standard HR hire. In those cases, there is a standard HR process that notifies IT of the need to deactivate an account and this is done effectively and timely. The non-obvious threat is accounts on non-major systems and employees that may not go through the standard HR process. Think about temp staff. They often go through a different hiring process and so their accounts often get forgotten about and aren’t disabled when they leave. The same is true with smaller systems. Disabling user access to these edge systems often gets forgotten when an employee leaves.
Another non-obvious threat is legacy and shadow IT systems. Once a legacy system is taken out of mainstream production, it is easy to forget about the need to secure it. These legacy systems often stop getting patched which leaves them vulnerable and nobody is generally watching to see who is accessing them. They are easy for an unscrupulous person to breach and no one knows about it. Shadow IT systems are also vulnerable to breach since they were often selected and implemented with no cybersecurity oversight. By its very nature, you have no idea what security holes might exist in your shadow IT since it was acquired through a non-standard process that was hidden from your security leaders.
Don’t let these non-obvious threats put your healthcare organization at risk. Learn what you can do to better ensure the security of your organization’s valuable information.