Healthcare delivery organizations already know that cyberattack risks continue to escalate. Articles about ransomware attacks, data breaches, and phishing attacks on health systems continue to be in the news with increasing frequency, underscoring the critical need for healthcare delivery organizations to tighten cybersecurity.
On March 17th the Office for Civil Rights (OCR) published its first-quarter cybersecurity newsletter OCR Quarter 1 2022 Cybersecurity Newsletter | HHS.gov. Titled “Defending Against Common Cyber-Attacks”, the newsletter pointed out that while “zero day” attacks make the news because they potentially exploit unknown weaknesses, most successful attacks occurred because organizations had not implemented basic security requirements as outlined in the HIPAA Security Rule.
The newsletter covered three main areas of concern – phishing, exploiting KNOWN vulnerabilities, and weak cybersecurity practices. Combine this with the increased risk from remote office work, and it’s easy to see why there was a 45% rise in reported breaches from 2019 to 2022. In fact, 66% of all breaches affecting 500 or more individuals were caused by hacking or IT incidents according to the OCR.
Technology isn’t a silver bullet to preventing or reducing your risk of being a victim of a successful cyberattack. It truly is about focusing on People and Process, then on Technology.
People
Humans make mistakes. Untrained humans make even more mistakes. HIPAA requires that all employees receive security training. How is your organization handling this requirement? At time of employment and during annual required training? What kind of training are you doing? Is it a stale PowerPoint or is it interactive and hands-on? One of the more effective hands-on training processes is thorough, frequent phishing training. It’s not enough to tell staff to be aware of email risk, you must teach them how to identify risky emails. If you do this frequently – at least quarterly – staff are more likely to retain what they’ve learned and put it to use. According to a 2020 report from Proofpoint, staff who receive frequent, quality phishing training reduce their organization’s risk from malicious email (the number one entry point for hackers) by 80%. Pixel Health’s KnowBe4 solution offers training to educate your staff and keep them updated on what they should be doing to reduce security risks. Contact us at info@gopixelhealth.com for more information.
Process
Cybersecurity practices (processes) that are lacking or poorly implemented make your organization an easy target for attack and prevent you from quickly identifying and expelling hackers who have gained entry. Weak user access control is the second highest contributor to successful cyber-attacks. The lack of Multifactor Authentication (MFA), poor password hygiene, and inappropriate management of privileged (powerful) user access account for most insider breaches. If you don’t have MFA deployed, especially for all remote access, you are at an extremely high risk of compromise. Additionally, if you haven’t completed a thorough Risk Assessment (not just an assessment of your electronic medical records) recently, you can’t appropriately identify the security posture of your organization or know where to concentrate your limited resources to reduce exposure. Pixel Health can assist your organization with a comprehensive security risk assessment, remediation recommendations, and MFA implementation. Learn more here.
Technology
Finally, implement the appropriate technology controls to reduce exposure. Here, patching appropriately – and in a timely manner – takes center stage. About a quarter of all breaches come from a hacker who has taken advantage of a system vulnerability. According to a Microsoft report published a few years ago, 80% were vulnerabilities that had a published fix released more than a year previous. In almost 50% of the cases, fixes were released several years earlier. There is no excuse not to patch systems on a routine basis (ideally monthly). If you are running legacy systems that can’t be patched, get them replaced. Here at Pixel Health we assign patch compliance policies to every device discovered on a network and automatically generate work orders to periodically assess the patching state of those devices. Policy compliance via automated playbooks saves the day. Pixel Health can help you with custom integrations and reporting for your security program!
Additionally, ensure you run routine backups and keep a copy of the backup encrypted and offline to protect it. Test those backups to ensure you can use them should you need to. Lastly, deploy endpoint detection and response (EDR) software. It can detect and stop malicious behavior, not just malicious software, on desktops, laptops, and servers.
If you haven’t already been asked about these practices by your Cyber Insurance company, consider the newsletter from OCR a wake-up call. Covered entities (organizations) are required to comply with these practices to satisfy the HIPAA Security Rule. If you need assistance with any aspect of your cybersecurity program, Pixel Health can help! Contact us today at info@gopixelhealth.com.