The start of a new year encourages us to reflect on the past and look to the possibilities of the future. In health care, our goals often align around the pursuit of patient safety, improved outcomes for all and a more satisfying clinician experience.
A strong cybersecurity posture is a critical part of delivering the highest quality care and operating efficiently. Unfortunately, a recent report shows that health care providers are the most targeted sector for cybercrimes, accounting for 79% of all reported breaches. Nearly 500 providers were breached in 2020, affecting just over 16.5 million patients.
While cybersecurity is a challenge for some organizations ─ especially now as our industry is adapting to new capabilities, processes and workflows amid the COVID-19 pandemic ─ we must continue to do everything we can to defend our computers, servers, mobile devices, electronic systems, networks and sensitive data from malicious attacks.
William Crank, COO, Fortified Health Security, also states that "...as we look forward to 2021, security teams will have their capabilities stretched and tested. As more and more focus is placed on cybersecurity by all industries, managing security talent retention will be a struggle as resources will be heavily recruited. Lastly, security strategies will be revisited heavily as previously approved projects may not address the current threat landscape since the four walls of the facility have now expanded to our associates' home networks due to a large, and potentially permanent, remote workforce. Protecting our resources at the edge will become a point of emphasis for information and IT security teams.”
As you determine how to safeguard your organization in 2021 and beyond, these are four practical resolutions to consider.
1. Establish an incident response plan
A data breach or cyberattack can be devastating for a hospital or health system, potentially leading to patient harm and significant financial losses.
An incident response plan (IRP) is vital to effective threat response and recovery. The document should provide an enterprisewide road map for topics such as alternate options for internal and external voice and data communication, cybersecurity insurance, methods for keeping current and processes for immediate notification of key internal and external personnel. Your IRP should be crafted with input from relevant stakeholders throughout the organization and positioned within the overall crisis management plan. The procedures must be socialized, tested and regularly updated with staff members receiving frequent training on their IRP roles and responsibilities.
For example, a health care organization in the southwestern United States engaged Cerner and Fortified Health Security immediately after discovering a security event. Within minutes, the Cerner/Fortified team began executing the IRP, stopping the situation from turning into a ransomware event. The IRP process included:
- Incident notification and containment
- Eradication and recovery
- Choosing a containment strategy
- Evidence gathering and handling
- Identifying the attacking hosts
- Post-incident activity
- Lessons learned
2. Develop telehealth strategies
COVID-19 has made telehealth services essential to safe care delivery. Whether it be a small, rural community hospital or a large metropolitan health system, Cerner collaborates with several key telehealth companies to assist clients. While the benefits of being able to provide care remotely are immense, the rapid pivot to using this technology and the loosening of restrictions left many facilities open to new and increased dangers.
Moving forward, telehealth options will be expected as patients and providers have come to enjoy the comfort and convenience of these tools. Organizations will need robust cybersecurity measures in place to meet the demand and address concerns around data protection and privacy.
3. Maintain compliance and regulatory requirements
As health care becomes increasingly reliant on technology, the need for more regulations around data privacy and protection will only accelerate. A notable example is the Office of the National Coordinator (ONC) for Health IT rule on information blocking that was finalized in March 2020.
Cybersecurity goes hand in hand with meeting compliance and regulatory requirements. It’s essential that health care data be secure, organized and accessible to patients and providers. A data inventory can help with implementing and maintaining compliance strategies that meet the needs of now and prepare for the next in health care. Fortified Health Security works with care providers to develop vigorous, scalable inventory management solutions that track and monitor all connected medical devices.
A complete data inventory allows health care facilities to see elements in real-time, such as every IP address on a network and the owner that is responsible for each device. It also provides quick visibility to where data is stored and security event details that aid in reporting out to the appropriate agency.
4. Prepare for the next crisis
The past year has solidified the need to be prepared for the unexpected, whether that be a global pandemic, a natural disaster or anything in between. Novel threats are constantly shifting and emerging. For instance, the COVID-19 vaccine distribution pipeline is facing serious cybersecurity risks as hackers attempt to take advantage of vulnerabilities in the massive effort.
Health care organizations of all sizes can benefit from the help of cybersecurity consultants. The cybersecurity leaders at Cerner and Fortified Health Security will work with your organization to provide the necessary guidance, risk assessments and other support for more secure operations.
Cybercriminals continue to sharpen their focus on health care. By including stronger, more proactive cybersecurity measures in your organization’s new year’s resolutions, patients and providers will be better protected from the dire consequences of an attack.
From managed services to purpose-built security solutions and compliance preparedness, Cerner provides the expertise and unique approach to cybersecurity necessary to help keep your data and your patient’s data protected. Learn more here.
More like this:
- Q&A: Addressing health care cybersecurity concerns – 4-minute read
- Combatting ransomware attacks on health care providers – 3-minute read