Healthcare providers must prepare for all three eventualities
Healthcare providers have plenty of options for cybersecurity solutions. There are three broad categories “healthcare cybersecurity companies” fall into that follow the broad stages of a cyber attack:
- Pre-attack planning and attack preparation
- Attack mitigation and IT security (sometimes called “managed security services” or having a “managed security service provider”)
- Post-breach and cyber security operations cleanup (such as patient privacy monitoring, akin to credit score reporting we’re all familiar with)
It’s tragic, but given the cyber threats healthcare institutions face combined with cybersecurity and compliance risks, all healthcare providers should have plans for all three stages.
Healthcare organizations must prepare and drill for cybersecurity breaches
Cyber threats should receive the same kind of attention paid to prior security investments, like the risk of fire, severe storms, or earthquakes. Akin to a fire drill, you should know what to do to protect the facility from fire, what to do if the building does catch on fire, and what to do after the fire.
The list of sensitive data, steps, and strategies is long. Broadly, health systems need to know:
- Who is in charge when an attack happens?
- Who is in charge of communicating with teams, patients, and the press?
- How to access medical records.
- What medical device security may become compromised or non-functional during cyber attacks.
- How billing, payroll, and HR systems may be impacted.
- How patient flow will change and what partner providers in the region can do to help
- How to shut down and lock their network security.
- What kinds of security challenges partner providers, like labs or diagnostics, might face?
- How many and what kind of healthcare professionals need to be involved, called in, or notified?
- How will people access the building if identity management technology, like card readers, fail?
- How connected medical devices may continue to transmit data over open networks or third-party services.
- And much more
Vantage Point is in the pre-attack planning and attack preparation category of health data breaches and cybersecurity. Among healthcare information security companies, we assume the worst will happen and design plans that enable healthcare institutions to respond to threats once they occur and unfold.
Hospital administrators and managers should ensure their training providers or programs follow Homeland Security Exercise and Evaluation Program (HSEEP) guidelines. HSEEP guidelines provide an evidence-based and standardized approach to planning, facilitating and evaluating projects.
Among drills and exercises for healthcare organizations, they can include tabletop exercises that put people through the administrative motions of real cyber threats. This includes:
- What steps a healthcare organization will take if patient data is held ransom.
- What steps internal IT response services will take to lock down their networks, disable attack vectors, and bring in outside help.
- How patient care continues and how slowdowns in technology — such as being forced to use paper charts — may slow down patient care and increase patient loads.
Because all healthcare providers are unique, we tailor these plans accordingly. A small ambulatory surgical center, a large urban trauma center, rural health systems, and specialty facilities all have unique risk management needs.
But the general problems of how to involve law enforcement in your region, medical device access, patient care, and moving on from health data breaches all follow roughly the same steps.
Protecting patient data and medical devices with a managed security service provider
We are not in the managed security services, PR, or post-attack cleanup market. But hospitals should certainly have one to help protect sensitive data, including billing, payroll, and patient data.
Managed security services will check, audit, install, and lock down networking equipment, drives, mobile devices, and medical devices. They’ll also handle cloud security with your existing third-party providers (such as Microsoft 365, identity management technology, cloud security platforms, and others).
The Joint Commission is increasingly looking at ways to encourage the healthcare industry to protect networks. They, in conjunction with the U.S. Cybersecurity and Infrastructure Security Agency offers three online guides:
- Ransomware Readiness Assessment CSET v10.3: Self-evaluation to determine individual readiness of different types of cybersecurity risks.
- Known Exploited Vulnerabilities Catalog: A routinely updated list of known software vulnerabilities being exploited by hackers.
- Cyber Hygiene Services: A CISA-guided service that performs vulnerability scanning, web application scanning and phishing campaign assessment. This service triages important vulnerabilities so that users know which gaps to address first.
But healthcare companies, including insurers, are protected against human error. In most cases, cyber threats find their “weak link” into an organization from a person who mistakenly clicked a link, plugged in a device, or just hadn’t updated a device’s firmware or software. VPC can consult on some of these steps to help healthcare organizations evaluate risks.
Healthcare organizations can prepare and drill for an attack with VPC
Rural health systems, ambulatory surgical centers, specialty hospitals, and large urban trauma centers are increasingly turning to Vantage Point to help prepare for what is increasingly a reality for healthcare providers.