5 cybersecurity tips hospitals can’t afford to ignore

By Cliff Miller

Frightening threats… spooky activities… Halloween is a fitting end to National Cybersecurity Awareness Month.

Did you know that the average cost of a data breach last year was $3.62 million and during each attack, hackers made out with about 24,000 records?

That’s pretty scary stuff.

During a time when goblins and tricks are playfully embraced, it’s also a time when the cybercriminal is thrown into focus.

As we know – for obvious reasons – hackers prey on hospitals but yet, too many healthcare institutions consider themselves to be unlikely targets and small and large-scale attacks are happening every day.

In 2014, Anthem, the second-largest insurer in the United States, was hacked. It was the largest breach in healthcare, affecting 80 million records. The hacker wasn’t after patients’ blood pressure readings or weight loss plans. The “prize” was information that could be used in identity theft (i.e., names, birthdates, social security numbers, addresses, employment information, etc.).

So what can you do to make your healthcare institution safer and protect patient information?

A2U cybersecurity experts agree that any single strategy is not effective in isolation and while this list is not comprehensive of everything that IT personnel should take into account when it comes to safeguarding against threats, it does bring a short list of tips to the forefront that we believe deserve more attention.

In our view, below are five cybersecurity tips that hospitals can’t afford to ignore.

1. Establish a security culture and maintain good computer habits.

This starts with educating employees on best practices.

The end user is typically where most attacks begin. Think about offering ongoing cyber safety training (e.g., mock phishing attempts, password protocol, red flags in emails) for all staff – not just those in the IT department.

You may be surprised at how many employees write down important passwords on sticky notes that are slapped onto their desktop for the world to see (speaking of enterprise-level password management, we recommend Thycotic!). Or, the number of people who just get up and walk away from their work station without locking their computer.

Also, it is a good policy to make sure employees cannot install software without prior approval.

Creating a culture that is aware of the risks and practices good habits starts with education.

2. Control access to protected health information.

You’re asking for trouble if you don’t limit (and monitor) access to patient records. Don’t give employees more rights to data than they actually need.

Implementing security measures such as, locking users out of systems after failed login attempts, using two-factor authentication, restricting concurrent logins and implementing time-of-day restrictions are some ways to control access. Also, it is important to audit systems to determine who is accessing what and when.

3. Don’t skimp on a regular risk assessment.

Take the time and care to fully know how data moves within the networks of your organization.  By assessing your security issues and vulnerabilities, you will be able to prioritize what needs the most protection and, in turn, develop a much stronger defense.

Use the intel from regular assessment to create security incident response plans – and test them. Conduct these tests just as seriously as you perform tests for physical emergencies. In a crisis, you don’t want to have to rely on unproven procedures.

4. Please, please use a firewall.

Firewalls prevent intruders from entering the network in the first place while anti-virus software helps find and destroy malicious software that has already entered the endpoint.

Configuring a firewall can be technically complicated, and hardware firewalls should be configured by trained technical personnel.

Large practices that use a Local Area Network (LAN) should consider a hardware firewall. A hardware firewall sits between the LAN and the internet, providing centralized management of firewall settings. This increases the security of the LAN, since it ensures that the firewall settings are uniform for all users.

5. Last but not least, partner with a trusted IT advisor to layer your defense systems.

By the way, I know a guy 😉

Antiquated systems are particularly vulnerable to attack. You need the expertise of specialized healthcare IT solutions to help you stay current with cybersecurity best practices.

As a national leader in healthcare IT, A2U collaborates with security solutions partners like Cisco and Palo Alto Networks to implement the latest advances in security, automation and analytics safeguards to minimize vulnerabilities and mitigate risks.

The cost of cyberattacks is undeniably daunting: interruption of daily operations, private data exposure and loss, risk to patient health, a fractured business reputation, potentially millions in financial damages and the compromise of patient trust. And unfortunately, the modern healthcare landscape will always be an attractive target for cyberattacks because these criminals rely on human error and user interaction. Though it’s unrealistic to completely prevent the occurrence of an attack, cyber defenses with a holistic approach can be strengthened to reduce the likelihood of an attack (plus increase preparedness when it happens).

I’ll leave you with this: complacency is dangerous. IT security is not about if you get breached, but when.  Got a question on cybersecurity or an additional tip to share? Shoot us a note at feedback@a2u.net.


Cliff Miller is the chief technology officer at A2U.