Checklist: These 5 steps will future-proof your hospital's cybersecurity program
Information security is a journey not a destination. As such, there are proactive steps hospitals can take to make sure they are as prepared as possible to defend against current and future attacks.
Elliot Health CISO Andrew Seward and UPMC Vice President of Information Security and Privacy John Houston, along with cybersecurity firm BluVector CEO Kris Lovejoy shared some of their best advice.
“Trying to achieve perfect security is an impossible feat,” Lovejoy said. “When it comes to futureproofing, it requires an investment of time so you understand what you’re trying to secure.”
Here are the first steps hospitals should take:
1. Assess what needs to be secured.
This begins with understanding future plans. If implementing blockchain is on your horizon, for instance, develop appropriate policies. The same goes for other technologies like biotelemetry, integrated medical devices and more: each require a specialized security technique and that means you need a complete list of all of connected technologies and any you know could emerge in the future. Hospitals also need to take into consideration the type of data they collect, what is most important to be protected and even the uptime of a device once the inventory is completed.
2. Master identity and mobile device management.
Not knowing who has access to what part of a network can be a big mistake. What’s more, hospitals often fail to revoke the privileges of users once they are no longer employed by or used as a vendor. Infosec teams need to get on top of this issue to understand access management, but also to quickly revoke those privileges. Mobile devices require a strategy as well.
Take an inventory of what’s on your network so IT leaders can address vulnerabilities, manage patches and updates, and segment systems from the main network when appropriate.
3. Test, then test and test again
Healthcare organizations must create or employ a tool to test vulnerabilities and to evaluate the status of policies and technologies currently in place. It’s important to routinely check for gaps in your systems, as well as whether the tools in place are applicable to current threats. Seward and Houston both said that testing must be continuous and that no tools can be implemented and then left alone because not matter how rock-solid the technology, new threats keep emerging so vendors, software and hospitals all must be vigilant about keeping current.
4. Detection and continuous monitoring
Hospitals should begin, if they haven’t already, to monitor assets and deploy technologies to contain threats. Firewalls, analytics, machine learning and similar tools will help organizations to detect threats as hackers make attempts. But tools are not one-size-fits-all: IT leaders will need to assess their needs to find the applicable tools. “Rapid remediation is key,” Lovejoy said. “Often times it’s like whack-a-mole: detect early to find weak spots and knock threats down.”
It can’t be stated enough that humans are a major vulnerability in the healthcare sector, and organizations must be vigilant in training employees about current threats and how to guard against them. Seward added that training your security team and all employees, simply put, is the right thing to do for the business.
Remember, too, that healthcare faces many of the same threats that other industries, such as utilities, finance and retail, encounter.
“The threat is existential,” Lovejoy said. “You need to make sure your investments are in the right place,” Lovejoy said.
Why cybersecurity is top of mind for forward-looking healthcare orgs.