Physician, protect thyself: An ounce of prevention is worth a pound of cure
In part one of our Physician, protect thyself series, we recognized significant security problems within the healthcare industry that need addressing. Health organizations moving from the paper to the ‘puter—a shift meant to improve care and overall patient experience—inadvertently introduced substantial privacy risks to healthcare records. They are suddenly accessible whenever and wherever the patient or medical staff is. Not only that, patient records are now as portable, transferable, alterable, and destructible as they can be—by both good and bad actors. The interconnectedness of devices and systems further compound the risk.
BYOD, the boom of mHealth apps, the cloud, and the lack of awareness among staff have made healthcare cybersecurity more challenging than ever.
These are challenges that, thankfully, two particular staff members of small- to medium-sized hospitals or clinics can tackle, with a little help from others: the Manager and the IT Specialist. They are the prime movers in turning things around for healthcare SMBs (with proper security guidance, of course).
So in part two of this series, we’ll provide them with tips to prepare for new responsibilities that directly affect the state of cybersecurity and privacy readiness.
Did someone say “CISO”?
Security consultants in the healthcare industry advise all organizations to hire their own Chief Information Security Officer (CISO), as health records being moved online calls for information security to be at the forefront of any strategy. Some larger hospitals can likely accommodate this position in their ranks; however, this may not be possible for smaller ones.
For one, healthcare organizations, like other industries, are seeing a shortage of IT security talent. This is because technologies are adopted at a quicker pace than people are getting trained to manage, maintain, and secure them. For another, a majority of healthcare facilities only devote a small budget for security. In this case, it’s not surprising to find that computer systems in SMB hospitals and clinics are ill-equipped to handle cyberattacks, much less have a dedicated IT person overseeing them.
With challenges like these, they could resort to looking into several low-cost alternatives:
- Avail the service of a virtual CISO (vCISO), which some companies offer
- Hire internally
- Expand the job descriptions of particular individuals in the right positions
With point three in mind, the manager position is the likely role to be awarded additional tasks—and for a good reason. Managers have oversight on people, policies, organizational strategy, resources, and communication. And when it comes to introducing change, managers are responsible for planning the direction, communicating it, and overseeing the changes taking place.
The Health Information Manager (HIM), also known as the Health Information Administrator, is viewed as the information specialist in healthcare, as they are responsible for obtaining, examining, ensuring the accuracy of, and protecting patient medical information.
While it is great news that healthcare is now setting an exponentially higher budget for cybersecurity, this is mostly for buying technologies and solutions and not hiring. As such, there is still that need of having the right people to do the job that needs to be done.
And so, without further ado…
To up their game, managers must begin thinking about cybersecurity and privacy, and find ways to incorporate them into the daily duties of staff within the facility.
Review current practices
A good place for managers to start is to review current physical security measures they practice within and without hospital or clinical premises. Now you might think, “Hang on, why should managers look into how they lock their doors first when we’re talking about cybersecurity?” What most of us may not realize is that computer security starts with physical security. Is it any wonder that some cybersecurity experts are also fond of lock picking?
Physical security is often overlooked and underestimated. Worse, it is seldom talked about within cybersecurity. With healthcare organizations and facilities that heavily rely on medical devices, systems, and health information all linked together in a network, the need for physical security becomes very real the moment when, say, a DDoS attack renders systems inoperable and causes a power outage that prevents doctors from performing serious care or emergency surgeries in the ICU.
It is imperative that managers think back and assess where the facility stands for compliance with industry standards and security frameworks they’ve adapted.
More importantly, managers must review the facility’s information lifecycle—the stages through which records go—from its creation to its archiving or destruction. Consider the following questions:
- Have staff consistently followed proper protocol when it comes to the disposal of printed-out patient records and other medical documents? (e.g., Do they just dispose of them in public dumpsters or other containers that are accessible to the public or unauthorized persons?)
- Have staff consistently followed proper protocol when it comes to the reuse of office furniture where physical or electronic records are kept and/or electronic media (such as CDs and USB sticks)?
- Are confidential and non-confidential data stored in separate spaces?
- Are stored records and other sensitive documents encrypted?
- What’s the policy on data retention?
Identify feasible threats and vulnerabilities
The Manager must then identify what measures need improvement, what additional security procedures they should introduce, and what practices they can scrap (if any) and replace with something more efficient, sound, manageable, and repeatable. This process is called risk assessment. And the Manager may need to talk to staff and third-party vendors for their input.
Consider the following questions:
- What could possibly happen if a member of staff lost his/her access cards and went unreported for a few days?
- What could possibly happen if USB ports on computers and devices are left open?
- How many external vendors have access to their records and/or facility?
- Can staff access the open web on any computer terminal?
- Should they consider getting an insurance policy in case of potential damages incurred in the event of a cyberattack?
Note that a regular review (e.g., once a year) of potential vulnerabilities is needed to be on top of critical weaknesses that need to be prioritized.
Introduce a culture of cybersecurity
Educating employees is the first step, but it doesn’t end there. Education is merely part of the security culture the Manager would want to incorporate into the bigger cultural setup in healthcare. His/her ultimate aim is to imbibe security practices to staff to the point that doing them comes naturally, whether they’re within the facility or outside it.
This is the foreseen outcome of an intentional culture of security: people think, act, and behave the same way no matter where they are or where they work. For example, if healthcare personnel are ingrained to treat links and attachments in emails as suspect, they would likely act the same way when they check emails at home.
I mentioned before that people generally have a negative perception about security, and the Manager must realize this. Doing so can help him/her change the tone and language to use when introducing this new culture in an already complicated setup.
As champion, the Manager must create a narrative focusing on the benefits of practicing basic security hygiene and playing their part in securing patient health records. In addition, he/she should be sure that training and awareness campaigns are in place not to hinder or delay them from caring for their patients but actually to increase patient satisfaction, as they have increased the likelihood that their PHI is safe.
Create a cybersecurity training plan
If the Manager doesn’t know where to start in drafting a training plan, the SANS Institute, a company specializing in cybersecurity training and information security, has a robust toolkit they can use to start this off. They may wish to cover the following topics in the plan:
- Definition of terms, such as phishing
- Social engineering tactics
- Scams and fraud tactics
- Extra: Good computing habits in the workplace
- Extra: Workplace social media security
Update the hospital or clinic policy to include a section on cybersecurity
To further drive home the need for change and to foster accountability on everyone within the facility, the Manager must also update the current policies to include cybersecurity. At this point, he/she may already have an idea of what to add, given that they already did a review of current practices and assessed potential threats and vulnerabilities in the existing hospital or clinic setup.
Other items the Manager should include in the new section of the policy are:
- What security software programs are/should be running on endpoints
- For endpoints facing the open web, what browser and plugins should be installed
- How and how often sensitive information or PHI are backed up
- How and when software updates will be applied
- Which users have admin rights on endpoints
- Who is responsible for maintaining, enforcing, and reviewing the cybersecurity policy
The Manager must also address security concerns surrounding BYOD, the cloud, internal WiFi, and even working remotely, as many healthcare practitioners have already welcomed these.
Include acceptable usage guidelines, stressing the importance of locking machines, devices, and accounts using multi-factor authentication, and how to report security incidences should a staff encounter one. Furthermore, the policy must clearly state what would happen if a staff is found to be non-compliant, especially in the event of a breach.
After updating the policy, the Manager must then set a review period for the cybersecurity policy to maintain currency and relevancy.
Read: How to create a successful cybersecurity policy
The IT Specialist
For some SMBs, having a dedicated IT department or person is quite uncommon. Many believe that one wouldn’t really need one as long as there is someone responsible for overseeing IT support tasks and ensuring that sensitive information is stored and appropriately protected at all times. However, this may not be applicable to SMB hospitals and clinics due to the nature of their round-the-clock availability and care.
As the lack of a dedicated specialist could mean that such IT tasks may likely fall into the hands of the Manager, at this point, we highly suggest hiring for a specialized IT role. Not only would this ease the burden on managers, who apart from having a ton on their plate are also involved in the care of patients, this would also allow the IT person to focus on providing support for staff and patient needs that only an IT specialist can offer.
These tasks include (but are not limited to) installing and maintaining software on endpoints, configuring hardware to ensure they follow industry standards and internal policies, and monitoring the network for any form of intrusion.
Note that the IT role can be a temporary one, as nowadays, current technology has made it possible for SMBs to survive without an in-house specialist. Healthcare SMBs can also take this route if budget constraints continue to prevent them from keeping an IT person in the long run.
Should the healthcare facility require IT support, they can always avail services of third-parties who can do this for them. Outsourcing IT needs can also avoid a potentially high turnover of professionals, which is experienced by many healthcare SMBs, and address the constant monitoring and managing of BYOD devices. Of course, hiring IT under contract must be bound by the security policies of the facility for its safety and the safety of their patients’ sensitive information.
Regardless of who is wearing the IT tinfoil hat, we suggest the following to beef up the security of the healthcare facility and the scores of valuable data they house.
Introduce an identity and access management (IAM) system
An IAM is a framework that businesses of all sizes use to facilitate digital identities. It allows active employees to access various accounts without the need for multiple logins. With the guidance of the Manager, IT can limit the number of accounts a particular group of employees can access via an IAM.
Examples of such systems are Okta, OneLogin, Centrify, and SailPoint. It’s important for healthcare facilities to control who accesses what accounts or systems to foster accountability and minimize unauthorized access or disclosure of information, either done maliciously or as a result of negligence on the part of the staff.
Schedule regular backup and encryption of information
Now more than even, backing up files has become a necessity—thanks to the proliferation of ransomware. In a previous post, we provided you the 3-2-1 method of backing up that goes like this:
- Make 3 different copies of your data
- Store 2 copies in different forms of media
- Store 1 copy offsite
Furthermore, do not just back up the data, but encrypt them as well.
Read: Backup and lockdown: when device theft strikes
Schedule regular software patching
Perhaps doing this alone would stop a large chunk of attacks, banking on the fact that most healthcare facilities, regardless of size, run on outdated OS and other software.
Disable USB ports on endpoints that do not need them
There are many ways things can go wrong if an endpoint has an open USB that anyone can just plug into. Sure, charging your smartphone device may be the most benign thing you can do with it, but open USB ports also encourage staff to plug in potentially risky external drives. It is safer to disable ports physically or via the Windows registry to mitigate the spread of malware and even the theft of highly-sensitive data.
Tackle issues surrounding free, in-house WiFi
It’s not uncommon for SMB hospitals and clinics to offer free WiFi to patients, visitors, and staff within the facility. The IT specialist must set up the network to meet the needs of both staff and non-staff, starting with making sure that:
- The main network is separate from the guest network
- The main network will be able to handle heavy traffic from multiple endpoints, including healthcare IoT devices, and support bandwidth-intensive transfers, such as voiceover wireless LAN
- The main network is encrypted (WPA)
- The main network must not be used by personal devices, such as smartphones, tablets, or laptops (but this can be on a case-to-case basis)
- The guest network must have a limited bandwidth
- The guest network must have certain websites blocked to discourage bandwidth hogging
- The guest network must not be able to retrieve sensitive records belonging to patients or the facility
- The guest network must be secured with a password
- Users are informed about the facility’s Acceptable Use Policy
Draft a business continuity/disaster recovery plan
The IT Specialist must work with the Manager in creating a plan on what the hospital or clinic will do during and after a breach. After all, as we keep saying, “It’s no longer a matter of ‘if’ but ‘when’ a breach will happen,” so everyone must expect that it will at some point. If they need further help on this, there are guides and templates available online they can customize to their needs. Here’s one from SANS.
Consider using virtualization
Sensitive files leaving the facility’s servers has always been a great concern for healthcare. And for many, virtualization has helped mitigate this pain point. As healthcare is different from other industries, pros and cons to virtualization must be weighed carefully as welcoming virtualization may introduce other complexities the facility may not be equipped to handle. An example of a possible problem the facility might encounter is server or application downtime, which can potentially stop care operations for a period.
Benjamin Franklin once said that an ounce of prevention is worth a pound of cure. And this has never been truer today.
It is encouraging to find that current healthcare leaders are making mature and quick strides in cybersecurity. Studies have shown that majority of threats aimed at the healthcare industry are preventable, and can be mitigated with proper staff education, training, consistent follow-throughs, enforcement of security policies, and continuous compliance with industry standards.
If the Manager and the IT Specialist continue to work with staff and their own resources, they have already made that first difficult step towards a more secure healthcare facility.
*** This is a Security Bloggers Network syndicated blog from Malwarebytes Labs authored by Jovi Umawing. Read the original post at: https://blog.malwarebytes.com/101/2018/04/physician-protect-thyself-an-ounce-of-prevention-is-worth-a-pound-of-cure/