5 tenets of an anti-phishing culture for healthcare
SAN FRANCISCO — Many healthcare organizations lack visibility into their networks enough so that they don’t really know what’s happening on their software and hardware systems, according to Fernando Martinez Chief Digital Officer of the Texas Hospital Association.
To that end, at the HIMSS and Healthcare IT News Privacy & Security Forum Martinez laid out five pieces of a technology and training strategy healthcare organizations can use to create a culture of cybersecurity, with a focus on anti-phishing efforts specifically.
1. Managed services
Martinez recommended seeking partners who have a deeper bench because they can help create a closed-loop process for security that includes managing, monitoring and alerting.
2. Dual-factor authentication
The healthcare industry historically has not widely adopted dual-factor authentication, Martinez said, even while other sectors already have. He suggested getting CEOs and CFOs to accept the importance of it because the tools create another level of protection in the event than an employee gives up a username and password. Even if it’s only partially implemented for specific high-profile users, it can significantly reduce the threat and potential subsequent damage.
3. Full-disc encryption
This one is a no-brainer. Yet, hospitals time and again report breaches that could have been avoided with data encryption. “That a healthcare organization would have mobile devices unencrypted should never happen,” Martinez said. “That’s a failure of controls and processes.”
4. Host-based endpoint protection
These can defeat zero-day exploits and, much like dual-factor authentication, Martinez said that even if it’s 95 percent accurate and not 100 percent, that is better than nothing.
5. Workforce education
Martinez said hospitals need to lay down a baseline (test, educate, evaluate, act, repeat), and then measure click rates along with incident response capabilities to understand how aware employees of phishing truly are and how prepared IT and security are to react to incidents.
“The durable benefits include promoting a culture of security awareness and increased regulatory compliance,” Martinez said. “Promoting a culture of cybersecurity awareness doesn’t just help employees at work. What they learn at work — they will share those stories.”