Health Industry Cybersecurity Practices and Videos

All health systems are strongly encouraged to adopt this series in your training programs; industry groups and professional societies, please encourage your members to do the same; and medtech, pharmaceutical, payer, health I.T., and services companies, please consider extending this series to your customers and clients as a supplement to your support.

Most small practices leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:

1. E-mail system configuration: the components and capabilities that should be included within your e-mail system
2. Education: how to increase staff understanding and awareness of ways to protect your organization against e-mail–based cyberattacks such as phishing and ransomware
3. Phishing simulations: ways to provide staff with training on and awareness of phishing e-mails

A small organization’s endpoints must all be protected. But what are endpoints? And, what can a small healthcare organization do to protect their endpoints?

David Willis, MD and Kendra Siler, PhD with the Population Health Information Analysis and Sharing Organization at the Kennedy Space Center are here to discuss what you should be doing to reduce the chances of a cyber attack penetrating your endpoints.

In this section, we will be discussing Cybersecurity Practice Area Number 3 – Access Management for small healthcare organizations.

This discussion will be organized into three sections:

1. What is access management?
2. Why is it important?
3. How can HICP or “hiccup” help improve access management for small healthcare organizations?

The National Institute of Standards and Technology, or NIST for short, defines a data breach as “an incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”

Sensitive, protected, or confidential data includes Protected Health information (PHI), credit card numbers, customer and employee personal information, and your organization’s intellectual property and trade secrets.

What information technology, or IT devices, do you have in your organization? Do you know how many laptops? mobile devices? And network switches you have in all your locations? Which ones run Windows or Apple’s IOS or one of Android’s several operating systems? If it isn’t attached to a wall or a desk, who is responsible for each device?

Networks provide the connectivity that allows workstations, medical devices, and other applications and infrastructure to communicate.  Networks can take the form of wired or wireless connections.  Regardless of the form, the same mechanism that fosters communication can be used to launch or propagate a cyber-attack. 

Proper cybersecurity hygiene ensures that networks are secure and that all networked devices can access networks safely and securely. Even if network management is provided by a third-party vendor, organizations should understand key aspects of proper network management and ensure that they are included in contracts for these services.

Vulnerability management is a continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program.

Incident response is the ability to identify suspicious traffic or cyberattacks on your network, isolate it, and remediate it in order to prevent data breach, damage, or loss. Typically, incident response is referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes. In fact, most networks are under constant attack from outside entities.

Health care systems use many different devices as part of routine patient treatment. These range from imaging systems to devices that directly connect to the patient for diagnostic or therapeutic purposes. Such devices may have straightforward implementations, such as bedside monitors that monitor vital signs, or they may be more complicated, such as infusion pumps that deliver specialized therapies and require continual drug library updates. These complex and interconnected devices affect patient safety, well-being, and privacy, and they represent potential attack vectors in an organizations’ digital footprint. As such, these devices should include security controls in their design and configuration to support being deployed in a secure manner.

Cyber Security Practice #10: Cybersecurity Policies includes best practices which are document specific to the implementation of cybersecurity policies and procedures in your healthcare organization.