GENERAL PRACTICE
How To Strategize for A Cyber Secure Future
Cyber Security continues to evolve at a faster rate than any other aspect of technology and healthcare is being caught in the crossfire between cybercriminals, state-sponsored actors and your average spam email hacker.
How we strategize for a cyber-secure future depends on how we see cybersecurity today. We need to see Cybersecurity as an aspect of everyday business just like payroll and OH&S.
By supporting our staff on how to work securely, how to be vigilant, and always demonstrating the business’s appetite for being cyber secure, we can start building the foundation for a cyber secure futre.
Below are our tips on how to get started with building your day hospital’s strategy.
Tip 1: Include Cyber Security Training As Part of Your Staff Onboarding Process
Most businesses especially those in healthcare use a set of processes for effective staff onboarding. Those processes generally revolve around OH&S, specific company/role functions and so on.
Our first recommendation would be to include high-level cybersecurity training as part of the onboarding process.
The training should include:
- An overview of the Cyber Security, IT, Remote Access & Data Privacy policies
- An overview of the email system the hospital uses
- An overview of the clinical and business applications the hospital use. In this step the onboarding officer should explain what is considered to be sensitive information
- An overview of the triage process in the event a staff member needs IT support or has concerns around a breach
- An overview of what is not authorised in terms of data sharing, downloading data etc.
- A basic overview of how to check if an email is not authentic (checking the address, not clicking on the links, not sharing any details)
Tip 2: Invest In Compliance, Identity Management & Audit Trail Tools
At REND, we believe that future Cybersecurity compliance requirements will focus on the organisation demonstrating that it enforces it’s cybersecurity policies across the business without the potential or possibility of a compromise.
What does this mean?
Imagine that your hospital’s cyber policy is that no one can access your IT platform remotely unless their device is up to date and has a working antivirus and, they used 2-factor authentication. The future of cybersecurity compliance will be for you to prove that it is not possible for someone to log into your system without being compliant.
Likewise, in terms of identity management, organizations will need to demonstrate that only authorized users can access a specific resource. An auditing software will demonstrate who accessed what which in turn, proves compliance.
At REND we recommend Cloud for Health as our all-in-one compliance and identity management tool however, you can also consider other products such as Okta for identity management.
Tip 3: Handover The Cyber Security Responsibility To Your IT Provider
Yes, we’re serious about this.
If your hospital does not employ an in-house IT team then you need to outsource the Cyber Security responsibility to your IT provider.
Sure you will need to pay your IT provider more for them to secure your IT environment and that’s ok. By them securing the environment and confirming that they are happy with the level of security, you can then ensure that in the unlikely event of a breach, you can demonstrate that you engaged a professional entity to secure your network.
We see operations managers, doctors or CFOs designing their IT security or cybersecurity strategy based on budget and not based on a strategic approach to cybersecurity.
The point we are making here is that it’s much more cost-effective and beneficial to have a technology firm designing your cybersecurity strategy and taking ownership of it instead of doing it yourself.
Tip 4: Secure Your Hospital’s Medical Devices
A few years ago a cardiac unit in a US hospital was hacked. This was one of the first instances where the hackers did not hack the patient records but rather the hardware or more specifically the ECG machines connected to the network.
They got into the machines, changed the configurations and within hours, none of the ECG machines where working correctly.
Now let’s imagine someone hacking into the MRI machine or other medical devices in the hospital. We can all assume that this will be a disaster.
Welcome to the world of IoT (Internet of Things) where medical devices, light bulbs, doorbells and so on are all connected to the internet and controlled via a web portal somewhere in the ether.
This is still a relatively new topic for day surgeries however since we are working on a strategy for future cybersecurity issues, let’s do something about it.
The first thing we would do (from a technical level) would be to put all of the medical devices on a separate network to that which the staff and computers connect to. Secondly, and more importantly, we would create a backup for all configurations of those devices and store them in an external location.
Finally, we would work with the vendors of those medical devices and ask them to advise on how they secure their devices. Just like a computer or mobile phone, those devices will need ongoing patching, updates and reviews.
Tip 5: Always monitor The Dark Web For Compromised Usernames & Passwords
Dark Web Monitoring is a service that regularly searches places on the dark web where information is traded and sold, looking for your information. If your information is found, you get a notification.
Businesses can subscribe to dark web monitoring via tools such as Norton Lifelock or Cyble.
Dark web monitoring should be automated and configured to monitor staff emails, full names, company emails, company websites etc. on the dark web. As soon as an alert occurs, your IT team should work with you to mitigate any compromised issues immediately.
Final Words
Our recommendation for Australian day hospitals is to focus on implementing successful Cyber Security & Disaster Recovery strategies. Both must be implemented correctly and reviewed at least annually.
Feel free to reach out to by Clicking Here if you would like a review of your Cyber Security & Disaster Recovery solution. We look forward to speaking to you.