Five things every healthcare provider must do to protect themselves against cyber criminals:

In today’s healthcare environment technology has become the critical backbone to the daily delivery of services, but providers in the healthcare space have historically done a poor job of keeping up with and properly securing and managing their IT systems. Cybercriminals know this and have made healthcare the top target .. According to Solutionary, an NTT security company, “the healthcare industry was the victim of 88% of all ransomware attacks in U.S. industries last year.” Not only is the healthcare target high, but the rate of these attacks on healthcare is rapidly increasing. Cybersecurity Insurer, Beazley Group, noted that “it saw 133% increase in ransomware attacks among its healthcare clients compared to the first half of 2016”.

What can you do to protect yourself? These five things are vital to protecting your practice from the inevitable attack. It is not a matter of if you are exploited, it is a matter of when because the bad guys are already knocking on your door and going after your most vulnerable area, your people.

1. Have Policies and Procedures that define and govern your security and

As a healthcare provider, you are a covered entity, and you are mandated by the Health Insurance Portability and Accountability Act (HIPAA) and the HITECH Act to have a base set of IT Policies and procedures that govern how you will manage and control access to ePHI in critical areas. It’s boring, it’s time consuming but it is actually sensible and will make you better if you take the time to not only define them, but implement and be accountable to them. Policies and procedures become the playbook that governs how you secure your systems and protect them from the threats that are coming at you. Key elements are everything in the HITECH act, but specifically: Risk Management, Information Security Awareness Training, Incident Response, Disaster Recovery, Password Management, Acceptable Use and Security Management.

By the way, it’s the law and the government is getting more and more serious about inspecting and auditing you before you have an incident.

2. Employ “defense in depth” methods of securing the outside and inside.

What is “Defense in Depth”? It’s just a fancy way to say make sure you aren’t implementing one thing and expecting it to be the silver bullet. If you have ever thought, “we have antivirus, we are safe”, you should re-evaluate. Security requires multiple layers because the bad guys are attacking your business from every angle possible, at all hours of the day and night. You should have firewalls, intrusion prevention and detection systems (IPS/IDS), email scanning for spam, viruses and malware, antivirus on all your systems, automated patching of servers, workstations, laptops, tablets, phones and related software applications, monitoring of security systems, logging of security actions, mobile device management for wireless networks, and on, and on, and on. The defense is like football – Offensive Line, Defensive Ends, Linebackers, Defensive Backs, Safeties and all the coaching staff – it requires the depth of the entire team to be successful.

3. Perform regular “security training” and be accountable to it.

A key component of the law is that you must perform ongoing security awareness training. The number one place that every bad guy targets is you and your employees. If they can trick you, especially a “high-value” target like a controller, CFO or Physician then they may just have the keys to the kingdom. Regular security training isn’t once a year, it isn’t even once a quarter. Regular training is monthly, if not more often. There are great tools available that automate the deployment and management, and accountability, of the training. Don’t just check the box, make sure you are getting the value out of the training.

The best defense is a sufficiently paranoid workforce, who thinks twice before they click. Thinking twice can save you hundreds of thousands, if not millions of dollars.

4. Encrypt, encrypt, encrypt; mobile devices, laptops, backups, email, everything.

Just the idea of encrypting your data makes sense - which means making it so that someone without the “key” to decrypt the data can’t read it. On top of it being sensible, it also creates an added barrier if you are breached, making it possible that the incident may not be reportable at all. At a minimum, phones, tablets, laptops, removable media (hard drives, thumb drives, etc.) and backups should be encrypted and consider encrypting your live data on your production systems that contain ePHI. This simple step can save you time and money.

5. Be paranoid about what and who can access your network.

Yes, Paranoid. We tend to just let people jack in, or connect to the wireless network but in a healthcare environment (really any environment) this is dangerous. Allowing people to connect to private networks introduces risk of foreign “contamination” of the network by machines that may not adhere to the stringent policies for antivirus, patch management, software control, etc. This presents the risk of introducing malware, key stroke loggers, viruses, and much more. This also includes allowing devices such as network enabled home systems such as Amazon’s Alexa, Sonos sound systems, cameras from various manufacturers, etc. Before connecting these systems they should be planned, put on separate networks and an update process developed. By all means avoid any type of Android built device from connecting to your network as they continue to be the least patched and managed but propagate the most mobile malware of any device.

Be paranoid, to quote Benjamin Franklin “An ounce of prevention is worth a pound of cure.”

There is much more to securing your environment, but these five things will substantially shrink your risk and help to greatly mitigate the bad guys ability to infiltrate and gain access to your sensitive information. Patient data is the most valuable data to hackers, more than credit card information, so they are gunning for you.