DynTek’s Shaun Land shares trends and best practices garnered from working with healthcare CIOs and CISOs on IT Strategy and Security Compliance programs
The relentless wave of cyber attacks against healthcare organizations that began in 2014-2015 did not let up in 2016, and experts predict the onslaught will continue in 2017. Here’s a look back and forward, and recommended resolutions for addressing cybersecurity challenges in the year ahead.
2016 Cybersecurity Review
In 2016, hackers diversified their tactics to include not only traditional forms of attack such as data theft and denial of services, but also blackmail and extortion via ransomware.
One of the most notorious ransomware attacks struck in February. Highly publicized, it was waged against Hollywood Presbyterian Medical Center in Los Angeles. Hospital computers were offline for more than a week before hospital executives gave into ransom demands, ponying up $17,000 in Bitcoins for the return of the encryption key.
1. EHRs will continue to be threatened.
EHRs (electronic health records) continue to retain high value on the black market. Chock full of portable information that goes through a number of different endpoints, they are predicted to remain a prime target. The growth of mobile devices and IoT-connected devices in the healthcare industry compound the threat.
2. Concerns about ransomware will still keep CISOs up at night.
System outages at healthcare organizations put patient safety and lives on the line — a reason many healthcare organizations choose to pay ransom rather than risk further disruption to operations. Unscrupulous hackers will continue to exploit this reality. Hospital CISOs need to have their guard up at all times.
3. Ransomware attacks are evolving.
As ransomware continues to reap big payouts for hackers, attackers will continue to change tactics to stay one step ahead of advances in security technology made based on intelligence gleaned from past attacks. Healthcare CISOs need to be prepared to fight new strains of ransomware developed to bypass the latest detection systems, as well as variations with the capacity to steal data instead of just lock systems.
2017 Cybersecurity Resolutions
Although there’s no sure-fire way to stop cyber criminals from launching new attacks, healthcare organizations can resolve to fight them. Here are 5 recommendations:
1. Think like a hacker.
Start looking at your security system through the eyes of a hacker. Conduct penetration tests to see if your system can withstand an attack. Preferably, tests should be conducted by an outside party. You should also test your disaster recovery plans.
2. Validate the effectiveness of third-party solutions.
Rather than base cybersecurity investments on cost alone, factor in effectiveness ratings validated by unbiased reviews and evaluations from users and test labs—as well as your own vetting processes.
3. Keep patches up to date.
Although security patches can be time-consuming, failing to patch your systems can result in catastrophe. In fact, the 2016 Verizon Data Breach Investigations Report finds that exploits come out as fast as 10 days after a new vulnerability is found and that 99% of vulnerabilities are exploited more than a year after being published.
4. Educate employees about best cybersecurity practices.
Many data breaches rely on social engineering tactics that target employees. Provide ongoing education to your employees about the need to avoid clicking on links and attachments in suspicious emails.
5. Remember, compliance, compliance, compliance.
Health organizations need to keep HIPAA/HITECH and OCR compliance in mind when creating security plans and selecting security solutions. These initiatives require organizations to prioritize a data security strategy, an incident response plan and organization-wide security policies and procedures. In addition, the recently passed 21st Century Cures Act is focused on REQUIRING data sharing for data mining purposes to develop cures for diseases faster. Healthcare organizations need to ensure they have plans in place to store data and share it securely.
Contact DynTek today for help developing and managing your IT Strategy and/or Security Compliance program and solutions.