How to establish cybersecurity awareness in hospitals
Why is it important for hospitals to establish a 'culture' of cybersecurity?
As hospitals continue to digitise rapidly, there is an innate need for a better understanding of digital security. Digital is at the forefront of every organisation’s business strategy, and naturally, cybersecurity is no more an afterthought. However, one of the biggest cybersecurity worries hospitals face is the lack of security awareness and a culture of security.
How can hospitals embed cybersecurity as part of their culture?
First and foremost, hospitals and their staff need to understand that cybersecurity is no longer only the responsibility of the IT or security team but is a shared responsibility.
Secondly, hospitals need to adopt dynamic risk quantification platforms which go beyond just classroom training, and aggregate data from various sources including cybersecurity training, User Entity and Behavior Analytics (UEBA), and more to provide a real-time risk score for every employee.
This score can help the security team identify the riskiest users, so they can plan personalised training and awareness programs to improve their risk posture over time. When everyone knows how likely they are to cause a data breach and the consequences of their negligence on an organisation – cybersecurity evolves from being an IT issue to shared responsibility and helps develop a cohesive culture of security.
What cybersecurity training practices are most important for hospital staff?
The vast majority of healthcare breaches still happen through email (89% of initial breaches). Meanwhile, 57% of insider threats in a hospital are also caused by unintentional sharing of confidential data through email or by opening an email containing malicious attachments.
This is a key area they need to focus on. Using Multi-Factor Authentication, passphrases instead of passwords, and getting a real-time feed of how good or poor their cyber hygiene is, will enable healthcare professionals to be more cyber-secure.
Mandatory desktop-only, classroom-type training is no longer sufficient when cyberattacks are becoming increasingly sophisticated. A recent poll found that 1 in 5 people saw no reason to learn about the issue at work! Cybersecurity awareness sessions in hospitals should be more dynamic and customised to the person and team receiving them.
For example, those working in radiology should understand that while hacking into the CT machine may be difficult, gaining control of the mainframe computer is not difficult at all. Similarly, finance department employees should also be trained to not sanction any large payments unless there is verbal and written authorisation to avoid CEO frauds.
How can hospitals maintain good cyber hygiene?
The healthcare industry today is plagued with two big challenges – lack of skilled security personnel and increased dependency on following a traditional compliance heavy risk management approach. Hospitals work with thousands of third parties to share data, maintain and upgrade legacy devices, connected devices and much more, and yet continue to depend on traditional, and compliance heavy risk management practices.
Hospitals need to adopt more proactive and predictive, enterprise-wide risk quantification techniques which can objectively measure breach likelihood across people, processes, technology, and third parties. This approach can help improve cyber hygiene by reducing duplicated cybersecurity products, mitigating critical risks, and alerting teams about cybersecurity threats from within and outside the organization (insurers, third-party vendors, suppliers) through risk prioritisation.
By adopting a quantitative risk-based cybersecurity strategy, healthcare organisations are more equipped to direct investments, identify and address critical skills gaps, evaluate the efficiency and effectiveness of control frameworks and suggest business justifications for security investments.
By objectively measuring the risks, the board and security teams can truly appreciate the dollar value impact of data breaches. Moreover, chief information security officers and chief information officers can provide their internal and external stakeholders with data-driven answers around how secure they are today to build good cyber hygiene.
How can hospitals ensure patient data and medical devices are kept secure?
A breach-likelihood measurement across people, process, technology, cybersecurity products for 1st and third-party, enables risk prioritisation along with proactive cyber risk mitigation and management.
The “breach-likelihood” of the organisation can be calculated at the most granular level - the breach-likelihood from each medical device of every room, or through personnel of every department, even vendors or suppliers of equipment. Each prediction makes the organization that much more prepared to predict and therefore mitigate breaches to protect patient data.
What advice do you have in terms of moving to the cloud and using automation?
While moving to the cloud, hospitals should embrace a security-first mindset. Automation and digitisation should always be followed by a strong data backup and recovery policy, a robust data encryption policy, and an objective measurement of cyber risks. A real-time and objective evaluation of cloud assets tells the security team how likely their hospital is to get breached through a misconfiguration if present.
As healthcare organisations ramp up cybersecurity infrastructure, they must remember that all the products and processes need to communicate with each other to generate a holistic cybersecurity posture. In a scenario where tens of cybersecurity services and tools are performing well in silos, but together generate more noise than solution, breach-likelihood is the solution that can hold cybersecurity strategies together.
What should a good mitigation plan involve?
The first step is to ensure the hospital has a real-time and dynamic enterprise-wide view of its cyber risks - you cannot mitigate what you do not measure. Individual employees’ cyber hygiene is also crucial - using multi-factor authentication, along with robust IAM and UEBA assessments. However, in case a hospital is a target of an attack, certain steps can save time, money, and lives.
Healthcare ransomware attacks act by encrypting and destroying data; making sound data backup and encryption policies paramount. By taking a predictive approach with quantified risk management practices, organisations can unify their cybersecurity strategy and gain real-time visibility across their environments.
Ransomware preparedness isn’t just about technical sophistication and cyber responses. A proactive risk management approach can help organisations better grasp the potential financial impact of a breach to evaluate the necessary steps to reduce and mitigate damages now and in the future.