Cyber Security Rx: 10 Questions for Your IT Team
In order to gain a deeper understanding of cyber security and using effective safeguards, it’s imperative for C-Suite executives to get first hand knowledge of how cyber criminals are using advanced tactics to lure victims into their traps.
David Miller, Chief Administration Officer at ImagineSoftware and former FBI Chief of Strategic Initiatives, was invited to share his expertise on cybersecurity prevention at Canopy Partners earlier this month with executives and decision makers for numerous healthcare facilities.
In 2017 we awoke to the dawn of a new era of ransomware in healthcare. This ransomware initially started with a few medical devices becoming encrypted and “held for ransom” until the cyber criminals demands were met, or the devices were replaced. Ransomware has now affected numerous hospitals, healthcare facilities, and major city databases, holding their files hostage for millions of dollars. With over 90% of successful cyberattacks originating through phishing, Miller implored the attendees to spend adequate time with their IT departments and ask the following questions:
- Show me how we filter our incoming emails for malicious links and content.
- Show me how we encrypt our outgoing emails that contain sensitive information.
- Show me our password policy and how we enforce it.
- Tell me about the tools we use to prevent (and/or detect) an attack on our network and explain how these tools work.
- Show me how we are managing admin access to our network and explain how we are preventing unauthorized use or misuse of these credentials.
- Explain how we monitor for insider threats and show me the tools we have in place to detect and prevent a rogue insider.
- Explain our process for disposing of old computer equipment and how we ensure that no sensitive information remains on the equipment once we dispose of it.
- Show me our mobile device management policy and explain how we audit and enforce it.
- Show me our policies for updating and patching our applications and ensuring that our applications are properly configured.
- Describe our cybersecurity awareness training program and tell me how we ensure all staff “participate in security.”
Miller states, “The approach in this talk is to ask open ended questions. When you work closely with IT you are putting your faith in someone to protect your company, it’s important that they have the ability to explain to you how they are doing that.”
The approach is to not have close ended questions or one-word answers. With the questions being behavior based it gives your IT department an opportunity to fully explain how their cyber defense systems work and share their knowledge on the subject.
“You’re putting faith in someone to protect your company, they need to be able to tell you how they’re doing that,” says Miller. By asking these questions you gain a deeper understanding of the protections in place and the IT department gets a chance to engage with upper management, which gives everyone a better peace of mind by understanding how the process and systems work.
From phishing to misconfigured application settings, breaches have become more common instead of less frequent. Over 5 million patient records have been hacked due to misconfigured databases, and the impact to your facility and brand is high enough that a breach could ruin your business.
“’What else should we be doing and how can I help?’ Is the key question executives should be asking their IT departments,” says Miller. Engaging with your IT department and discovering what they need to keep your data safe will ultimately be one of the underpins of keeping your company successful long term.
Your healthcare facility needs to prepare for when a breach happens, not if it happens, and then testing your employee’s response to the breach. The good news is that most executives and decision makers are already concerned about cyber security, the key is to bridge the gap and become engaged with your IT department. As a company concerned about your future success, we implore you to engage with your IT department, ask them these questions and give them the budget they need to protect your business.