With so much sensitive, valuable data to protect, data breaches are the bane of health care. According to security firm FortiGuard Labs, health care organizations experience an average of nearly 32,000 intrusion attacks per day – twice as much as any other industry. Despite this alarming statistic, cybersecurity often takes a back seat to the day-to-day operations of providing care. A 2018 CHIME HealthCare’s Most Wired survey reveals that only 29 percent of health care entities have a full cybersecurity program in place. To put this in perspective, on average, health care establishments spend only half as much on cybersecurity as other industries.
A cyberattack can impact financial, administrative and clinical information systems in addition to medical devices and equipment that are connected to the network. The loss of time, money, consumer trust – and sometimes life – that results from a cyberattack is detrimental to the health care system.
The start of a new year is the perfect time to reevaluate cybersecurity measures and make steps toward improvements. Here are six cybersecurity resolutions that health care organizations should consider for 2019:
1. Conduct a cybersecurity risk assessment
To make improvements in a cybersecurity strategy, an institution must first determine how vulnerable its employees and systems are to attack. The end goal of an assessment is to identify potential threats, anticipate their impact and come up with recovery options. It’s a time to evaluate current security tools, vendors and their effectiveness, too.
Once strengths and weaknesses are clear, it is easier to figure out how the strategy needs to evolve. To be most effective, the evaluation should include input from departments and stakeholders across the enterprise. A security health checkup is also a good opportunity to better align cybersecurity efforts with overall business needs and objectives. Cybersecurity investment and performance should be regularly measured and updated according to results and feedback.
2. Build a strong cybersecurity budget
A recent survey by Black Book Market Research found that health care organizations assign about three percent of their IT budget to cybersecurity. While it is critical for cybersecurity to be an organization-wide priority, it can be challenging for security professionals to show the value of this investment. Executives from the National Association of County and City Health Officials report that health care breaches can cost as much as $400 per patient. So, it makes financial sense to allocate most of a cybersecurity budget to prevention. Adequate funding for detection and cleanup and business continuity and disaster recovery is also necessary. The budget for training should be shared across the organization.
3. Hire a chief information security officer
Sixty percent of health care facilities have a dedicated cybersecurity executive, according to a survey from the Healthcare Information and Management Systems Society. While the Health Insurance Portability and Accountability Act of 1996 doesn’t require health care organizations to employ a chief security officer, having a full-time point person to guide cybersecurity is essential.
Successful chief security officers understand both IT and the business of health care. They drive the security strategy forward and represent the organization as an expert in the industry. With a senior executive-level title, the lead security professional has greater independence to determine which security issues are the most critical to address. When a health care facility emphasizes the chief security officer role, it reflects, both internally and externally, that protecting hardware, software and data from unauthorized access is a high priority for the organization.
4. Create a security-minded culture
The personal actions of employees on corporate devices can have major negative impacts on a health care organization. Entities that develop and nurture a robust security culture are taking a big step toward eliminating vulnerabilities. Mandatory training on cybersecurity best practices should start during the onboarding process and continue on a regular basis throughout the lifetime of employment. Communication of cybersecurity information needs to be planned and widespread to keep all departments updated and on the same page.
5. Dedicate resources to the Internet of Things (IoT)
From patient monitors to X-ray machines, health care devices are becoming more and more connected to the internet to send and receive data. The IoT health care market is expected to reach more than $158 billion by 2022.
Although this could revolutionize the quality of patient care, it also poses significant cybersecurity risks. Creating a segmented network for IoT that is guarded by its own firewalls will deter hackers from getting to patient records, fiscal reports and other important data that is located on the rest of the network. Machine learning, which can monitor data exchanges and predict threats in near real-time, is another powerful tool in increasing security in the world of IoT.
6. Increase industry transparency and collaboration
There is no need for health care organizations to recreate the wheel when it comes to developing a dedicated and comprehensive cyber security program. At the end of the day, security professionals are all fighting the same battles, and if entities are open with sharing their strategies and lessons learned across the industry, protection will likely improve. Joining local chapters of security groups, such as InfraGard, ISACA or the Health Information Sharing and Analysis Center, gives health care establishments the opportunity to share their success stories and learn best practices from colleagues in the field.
Cerner's Cybersecurity Risk Assessment makes it easy to see where your data security may be vulnerable—and what you can do to improve. To learn more and to request your cybersecurity risk assessment, click the button below.
Request your Assessment.