Health organizations need an all-encompassing framework to make smart, informed decisions to prioritize cybersecurity spending, build and instill a culture of security, and protect the assets most directly impacting business strategy and objectives.
The key steps organizations need to take are:
- Complicate an attacker’s ability to achieve their objective
- Detect an attack before meaningful business is impacted
- Respond effectively and immediately to remediate an attack
- Educate your workforce to increase awareness, develop and maintain a security consciousness, and fend against phishing attacks
The key operating concept is the idea of an active defense: probing for, analyzing and neutralizing threats before they can acquire or damage an organization’s critical assets. This requires organizations to understand their risk spectrum – over time and at every step along the data collection path.
Know the value of your data – and start with the areas of highest risk
To allocate cybersecurity dollars wisely, organizations must learn the value of their information assets, updating assessments at least annually and at every point in their supply chains. The costs of security breaches in health are too expensive to ignore. A data breach could bring your entire business to a standstill, and a ransomware threat could lock down your data, making daily operations impossible.
Yet not everything should be protected with equal rigor. The higher the value, the stronger your protection needs to be at those transaction points.
The risk grows as you gain more data. The value of health data may increase over time; unlike credit cards, PINs or passwords, health data does not change, and aggregating makes it more valuable (individual records and data sets from multiple individuals). For instance, data is more valuable (and needs higher protection) at the end of a clinical trial.
Improving your people’s cyber-resilience
Security must become the new mindset and the new backbone around which operational or delivery-of-care models are built.
But in many cases, it’s challenging for security experts to convince people (like doctors and other health practitioners) to alter their workflow to accommodate risk mitigation.
In some cases, concerns are valid – for instance, many doctors are reluctant to use dual-factor authentication, as it might slow down the process of treating a critical patient. In others, it is a matter of educating everyone in the chain on the potentially dire outcomes of a security breach, and stressing the need for diligence in daily health care tasks.
Security must become the new mindset and the new backbone around which operational or delivery-of-care models are built.
Key steps for every organization to improve its employee cybersecurity include:
- Educating your workforce to be on the lookout for spear-phishing attacks, those seemingly legitimate emails from a familiar individual or organization that are, in fact, fraudulent communications
- Changing employee perceptions of cybersecurity as an annoyance to be avoided when possible, to a fundamental part of achieving the organization’s objectives
- Raising the overall awareness of all operative stakeholders in your business – from every level of employee to every component of your supply chain
- Making sure your workforce education and security measures do not instill too much fear in your users
Communicating and responding effectively
Just as the best medicine is preventative, the most effective cybersecurity is about protecting by being proactive and preemptive.
Build a crisis management plan now and be ready to execute it at the first sign of a security incident. This plan needs to address responses for:
- Customers – and your organization’s responsibility to those harmed by an attack, including plans for different responses based on what was lost or disrupted in the breach
- Stakeholders – including others in the supply chain, stockholders, employees, and anyone else with a vested interest in your organization
- The spokesperson – and whether this will differ depending on the scale of the event
- Public affairs – (such as notifying government officials) if the attack is traced back to a nation-state, where political and market sensitivities are at play
Ransomware threats – with a differentiated strategy for varying threat levels and understanding their classification (i.e., direct financial loss, reputation loss or legal repercussions with associated financial loss)
Resumen
In a rapidly changing health care industry, cybersecurity strategies must be proactive and preemptive to protect sought-after customer data.