2023 marks the 20th anniversary of Cybersecurity Awareness Month, where the Cybersecurity & Infrastructure Security Agency (CISA) reminds us to work together to raise awareness about the importance of cybersecurity.
“Data compliance and security are major challenges for many organizations, but is especially critical in healthcare,” states ImagineSoftware’s Vice President of Information Technology & Corporate Security Officer Anthony Brown.
As attackers become smarter, your healthcare practice or organization must stay one step ahead... In celebration of Cybersecurity Awareness Month, our IT and cybersecurity expert shares the top best practices to implement in your medical practice or healthcare organization. In this blog, learn how to safeguard your data, protecting not only your patients’ privacy but also your organization’s reputation.
- Employee Education
Social engineering is at the top of the list in today’s threat landscape. This means our employees are our largest target to be compromised. Education and awareness become our ONLY defense. Cybersecurity must become a habit and the only way to develop this habit is with frequent education, reminders, and practice. One of the most effective education tools are simulated phishing/smishing attacks, followed up with education for those employees who took the inappropriate action.
- Password Complexity & Multi-factor Authentication
Top left – BAD. Bottom right – GOOD. Is there anything more to say?
In addition to the standard username/password combination, multi-factor authentication should become best practice and the norm – this can thwart the best of attack attempts using compromised user credentials!
- Malware Protection
Endpoints, servers, networks, and especially email, must have active, updated, malicious software (malware) protection in place. These should not only be signature-based, but also behavior-based, with alerting, sandboxing, and “real-time” updates.
Data must be encrypted in motion (i.e., data moving through your network) and at rest (data on a storage device). Encryption is like sending something in an envelope via the US Mail (only the sender and recipient can see the contents) rather than on the back of a postcard (anyone along the delivery path to the recipient can read it).
Backup frequently and often following industry best practices of 3-2-1. 3 copies of your system and data, on 2 different media or devices, with at least 1 copy air-gapped and geographically separated. These MUST also be verified and validated to ensure you are backing everything up and they are usable in a crisis.
- Update/ Patch Systems Promptly & on a Recuring basis
Operating systems, utility software, and applications are continually being updated and patched for vulnerabilities. Vulnerabilities can be exploited by threat actors to compromise you. All systems should be updated and patched on a regular, recurring basis – at least monthly - or near immediately, if the vulnerability is of a critical nature.
- Network Segmentation
Each critical system in your environment should be segmented to its own virtual network. This compartmentalizes (think of it as virtual walls) your systems, while not impacting your production usage, thus making it more difficult for an attack to “jump” between them and get to all of your systems. At a minimum patient care, revenue cycle management, and business operations should each be in their own network.
- Penetration & Vulnerability Tests
Independent, third-party conducted penetration and vulnerability tests on a recurring basis (typically quarterly or bi-monthly) is the only way to check for human error and gaps in your environment’s security posture. This proactive activity is the best insurance policy you will ever buy provided that each test’s vulnerabilities are reviewed and addressed.
- Incident Response Plan & Team
It is not whether you will suffer an incident or crisis, but when. Having a plan, approach, and team, can save you unforetold time and business disruption when something occurs. It should also be reviewed and tested at least annually as business, environment, and people change. Remember, this is not simply an IT or cybersecurity function, but must be business-wide with involvement and ownership from all stakeholders.