10 best practices: How to prevent cyber attacks in healthcare settings
By Deryck Mitchelson, Field CISO EMEA, Check Point Software Technologies.
Historically, healthcare organizations have represented high-risk cyber attack targets, resulting in withering large-scale security interruptions. Breaches have exposed private information belonging to millions of people, and attacks have been known to cause physical harm. In the remainder of 2022, we’re poised to see a continuation of past trends.
However, a seismic shift is happening in the healthcare space. Cyber security is becoming a core tenant within the patient-centered care model, as cyber security aligns with patient-centered provider goals. Care must be of high quality, and must meet patient satisfaction scores; neither of which are possible in the absence of cyber security. Leaders are beginning to take this seriously.
When thinking in terms of patient-centered provider care goals, cyber security needs to command the space that it occupies. Cyber security needs to be the best that it can be. As a healthcare security professional or decision-maker in the process of rethinking how to prevent cyber attacks in the healthcare setting, consider the following attack prevention strategies.
How to prevent cyber attacks in healthcare settings
1. Implement role-based access controls. Access grouping and access granularity is appealing in healthcare environments, as it allows for users to maintain discretionary capabilities over his/her own objects and yet also permits organizational administrators to set-up and oversee rules.
While role-based access may need to be refined as new realities present themselves (emergency situations or other unpredictable scenarios), syntheses of international literature on the topic show that role-based access controls broadly increase patient privacy, security and regulatory compliance capabilities.
2. High-level buy-in. Organizations that are in the process of cultural changes around cyber security need to ensure a ‘positive tone’ from the top. Research shows that when communications pertaining to the values of risk management and cyber security come from the top, principles are adhered to more closely than when simply communicated from the desk of a cyber security professional.
3. Provide healthcare staff with education. Assess existing levels of privacy and data security awareness (ex. through surveys) and subsequently plan training opportunities for both clinical and non-clinical staff. As the security landscape changes, ensure that front-line staff members are given further insight into possible security issues and prevention techniques.
4. Assess patch management and vulnerabilities. Cyber criminals have a habit of targeting unpatched or otherwise unaddressed vulnerabilities within systems. Technological advances enable cyber criminals to scan systems for weaknesses, which then receive prompt attention from the hackers. As a result, patching must occur across systems at regular intervals and security managers should take care to routinely assess weak points.
5. Bring in ethical hacking services. Along planned intervals and with the direct support of relevant departments, invite ethical hackers to attempt to breach your systems. In the event that the ethical hackers manage to break through, you have precise insights into what policies, processes, tools or devices require further security attention.
When inviting ethical hackers to assist, get to know who you are working with and gather as much information from them as possible. Ensure that any hired ethical hackers can provide details concerning the tools used, issues found, and how to resolve them.
6. Build backup repositories. Although getting all of the components into place can prove time consuming, the best way to limit potential cyber attack damage is through the development of robust data backup systems. Automated, regulatory compliant cloud-based backup services can provide reliable and safe options, even for organizations that maintain vast volumes of data. They can also offer instant monitoring, which can help organizations report on problems that may necessitate intervention.
For data redundancy purposes, data should be stored in at least two disparate locations; one of which should be in an offline and immutable locale. Consider maintaining at least three copies of current data.
Apply data backup infrastructure safeguards; from complex security algorithms that can guard data integrity, to geofencing, to tamper-proof logging. Conversely, also consider applying additional layers of protection that can allow for the deletion of backups if access credentials are unexpectedly compromised.
7. Instant recovery. Healthcare management groups and organizations can’t afford down time. Ensure that your healthcare organization can recover from a disaster in minutes. An increasingly popular option is to purchase Disaster Recovery-as-a-Service (DRaaS). This can pivot disaster recovery from an operating expense into a capital expense. Disaster Recovery-as-a-Service also means that your staff is not solely responsible for spinning up systems.
Regardless of how you plan for disaster recovery, test your disaster response plans on a routine basis. In the event of a ransomware attack for example, it’s best to be able to rely on an at-the-ready squadron of backups, policies, procedures, and trusted experts.
8. Multi-factor authentication (MFA). Despite the simplicity inherent in the method, multi-factor authentication represents a key methodology if concerned with how to prevent cyber attacks in healthcare settings. Multi-factor authentication offers a series of layered protections to strategically guard networks and accounts.
Microsoft researchers have found that multi-factor authentication can block nearly all automated cyber attacks on its platforms. It also reduces the risk associated with compromised credentials. MFA implementation represents a cyber security best practice.
9. Protect mobile devices. Whether your system’s mobile devices consist of Lenovo Tablets, or items like infusion pumps and respirators, determine how you can minimize and protect your IoT/IoMT attack surface. Prevent malicious IoT/IoMT traffic using deep device visibility, risk analysis, zero-trust segmentation, threat intelligence, security gateways, and specialized healthcare-focused cyber security services. For further insights on this topic, see Check Point Software’s Buyer’s Guide to IoMT security.
10. Choose a reputable cyber security vendor. Your cyber security vendor can serve as a partner throughout your security maturation journey. In conjunction with a cyber security vendor, your organization will be able to create a formidable cyber defense strategy that’s capable of preventing and detecting the most persistent, sophisticated and advanced cyber security threats.
Closing thoughts:
Empathy in healthcare is not relegated to bedside interactions. Empathetic security leaders and decision-makers can improve care experiences through technology.
A close focus on cyber security in healthcare signals empathy. Patients commonly feel vulnerable due to their personal circumstances. With best-in-class cyber security, organizations can figuratively, representationally, and literally reduce vulnerability.
For more information about how to prevent cyber attacks in healthcare settings, please see CyberTalk.org’s past coverage. For more insights from cyber security expert Deryck Mitchelson, please see Advancing Security with the MITRE ATT&CK framework.