Half of Healthcare Professionals Say Their IT Infrastructure Isn’t Secure.

Healthcare Technology
Blog
Tue July 25, 2017

If You’re One of Them, Read On.

The recent WannaCry and “Petya” global ransomware attacks – along with seemingly countless other, smaller-scale attacks – serve as powerful reminders of the importance of creating and maintaining a secure IT infrastructure, especially for those operating in the healthcare space.  In 2017, one might think such reminders aren’t necessary, but survey after survey shows that a significant percentage of healthcare organizations – from providers and payers to pharma and medical device manufacturers – still consider themselves vulnerable to cyber mischief and are woefully unprepared to manage an attack.

According to the MGMA’s most recent Stat poll, only 55% of healthcare professionals believe their organization’s IT infrastructure is secure against attacks. What’s more, ISACA’s 2017 State of Cybersecurity Study reports that while 62% of IT security leaders experienced ransomware attacks in 2016, only 53% have formal processes in place to manage such incidences. (In this same study, a mere 31% of security leaders say they routinely test their IT security controls; 13% never test them and 16% don’t have an incident response plan!)

IT infrastructure security

So where’s a healthcare organization to begin? PointClear Solutions’ technology security leaders suggest these three steps:

1. Dig in deep by conducting a comprehensive security audit. This may mean engaging with an external resource. Regardless, evaluate and identify gaps in processes and procedures that support:

  • Application and systems security – Things like virus, hacking, and data leakage prevention
  • Network security – Permissions and user authentication protocols, WLAN security, and BYOD threat prevention
  • Cloud security – Approaches to API security, data residency, and regulatory standards adherence

Then, remediate, remediate, remediate.

2. Commit to making security a part of your culture. This means going beyond your chief security officer or system administrators to involve everyone involved in designing, building, maintaining, and/or interacting with your software systems. It also means recognizing that statements about security are always for a given point in time.  A system that is secured against known threats today may not be secure against new threats uncovered tomorrow.  For this reason, your security posture must evolve over time – and live and breath, rather than just stagnating in a file folder awaiting annual review.

Train and educate on an ongoing basis.  If your organization handles healthcare data, your employees and vendors should participate in regular HIPAA training and, depending on how they interact with PHI, may benefit from other certifications. Employees at all levels should also be helped to understand things like virtual-private networking and encryption – and they must be able to recognize potential phishing attempts (and know who to notify and how to handle such situations). It takes just one individual clicking on a malicious link or attachment for an organization to become infected with ransomware.


NEED HELP SHAPING YOUR ORGANIZATION’S SECURITY STATE OF MIND?

READ ABOUT OUR PRIVACY & SECURITY SOLUTIONS HERE.


Vet your partners. While it’s easy to have blind faith in your software vendors and partners, you should always take a “trust, but verify” approach to these relationships.

  • Check their credentials and certificates, if applicable, before engaging with them.
  • Confirm their deep understanding of (and ongoing commitment to adhering to) HIPAA privacy and security rules.
  • Get it in writing. Depending on the vendor relationship, contracts like a Business Associate Agreement (BAA) help document your expectations related to security for your partners. In some circumstances, you may need to audit the vendor’s compliance with these agreements in order to protect your customers from careless partners.

3. Develop an emergency response plan – and review and update it regularly. Such a plan should identify potential IT risks and the steps that need to be taken to mitigate effects or damage related to an incident. Your plan should include:

  • A list of key staff who need to be notified
  • Contact lists
  • Priority actions
  • Communication plans
  • An event log to track actions taken

To learn more about this topic, or to connect with one of PointClear Solutions’ technology experts about our software strategy, design, development, and management services), Contact Us. (And don’t forget to follow us on LinkedIn for more great content!)

SHARE THIS ARTICLE ON:

TALK with US

Digital Health Expertise to Support Your Success.

PointClear Solutions’ strategy, design, development, and management services can help elevate your brand reputation, grow your market share, and boost your revenues — all in record time. Connect with us to learn more.

Complete the form below, so that we can connect you with the right person. You’ll hear from a member of our team shortly.