Repelling Cybersecurity Events

In recent years, many healthcare organizations have stepped up their cybersecurity efforts, but phishing scams and ransomware attacks have become more sophisticated. Healthcare remains a prime target for criminals. Cybercriminals have learned that healthcare organizations not only maintain large quantities of data but also will pay substantial sums of money to avoid an interruption in patient care and protect the safety of patients.

Healthcare’s recent digital expansion means cybercriminals have more targets. Telehealth, remote patient monitoring and patient-focused digital tools, such as mobile health tracking apps and patient portals, extend a health system’s digital landscape far beyond a physical campus.

The pandemic has also brought cybersecurity challenges to the forefront. More employees working off-site means information from across the organization is accessed from unvetted locations. This requires attention to how the remote workforce’s processing, access and storage of data is secured.

The following actions can be taken to help organizations prepare for and repel a cybersecurity event:

Build your human firewall. A key takeaway of the publication is that cybersecurity can no longer be viewed only as the province of the IT department but must be the responsibility of all staff who have access to digital information, EHRs or network resources.

It cannot be overemphasized that organizations must build a culture of cybersecurity, also called the human firewall, in addition to their existing technical security programs. Basic cyber hygiene and patching will always be required. However, it only takes one person falling victim to a phishing scam to jeopardize the whole organization’s security posture, so the days of cybersecurity being solely IT’s responsibility are gone forever. This requires an awareness of cybersecurity threats, a continuous evaluation of existing threats and the incorporation of preventive strategies at all levels of the organization.

Gain senior leadership buy-in. A defining characteristic of an organization that establishes its human firewall is ardent buy-in from leadership. Effective senior leaders make sensitivity to cybersecurity threats and organizational preparedness part of the way the organization performs its work. An important step is supporting the chief information security officer’s promotion of cybersecurity programs. One program of importance is the development of a strong human firewall that achieves the following four objectives:

1. Identification of social engineering attempts to get confidential information or a user’s credentials. Does staff know how to identify a phishing email or text?
2. Rapid identification of a cyber event. Does staff know the signs of a cyberattack and how to report?
3. Rapid response to a cyber event. Does staff know how to contain a cyber event?
4. Continuous improvement. Is the program frequently reviewed and modified as needed?

Cybersecurity threats should be treated as a matter of when, not if. A strong human firewall requires an awareness of vulnerabilities and responses at all levels of the organization.

Establish staff training programs. With staff expected to take a greater role in cybersecurity, organizations would be remiss to neglect staff training. Training needs to include the entire workforce, not just clinicians. Every member of the organization needs to know that they are a critical part of an organization’s cyber defense and be educated to anticipate both conventional and nonconventional intrusions. These exercises should be tailored to different staff roles and the technology frequently used in each position.

To stay ahead of new threats, staff training cannot be a one-and-done event. Regular refreshers need to be part of the plan. Periodically evaluate staff to ascertain whether they appropriately respond to test cyber challenges such as phishing or social engineering tests. Based on the results of the testing, additional training should be conducted and the cycle repeated.

Testing should include how to identify and what to do in the event of a cyber security incident and not be limited to phishing tests.

Incorporate cyber emergency management. Responses to cybersecurity attacks need to be incorporated in other emergency plans. This includes having a clear link to business continuity and emergency management plans and ensuring staff can identify when a cyber incident should trigger the plan.

Any plan should include how to safeguard the greatest amount of data and information in a cyber event and who to notify if a potential breach occurs. In addition, operational contingencies need to be in place if a cyber event impacts some or all IT and biomedical systems. Staff can limit the impact of cyber events by thinking ahead and protecting critical backups from cybercriminals and making sure that offline emergency documentation is kept up to date.

Be mindful of staffing. Thinly spread staff and workforce burnout are growing issues as employees are asked to be more efficient and do more with the same or less. Overstretched and burnt-out staff make it challenging to maintain an effective human firewall because they are prone to making mistakes that affect security. Organizations, in recent years, have reduced headcounts to be as operationally efficient as possible. This limited staffing creates a challenge in how to prioritize daily operational responsibilities and strategic projects with important cyber initiatives and cyber responses. Senior organizational leadership needs to be mindful of these challenges and collaborate with IT and business leadership to ensure that one does not suffer because of the other and either clearly reprioritize activities or bring in additional staff as needed. This will be easier for some organizations than others, especially in the current climate, where, even if there is a desire to bring in additional staff, many organizations are struggling with recruiting and maintaining their workforce.

As an alternative, in some cases, to hiring a consultant or bringing in additional IT staff, a wealth of free and trusted resources is available from government agencies and business partners. Some free resources that highlight best practices and include free cybersecurity tools include Cyber Insurance Carriers, Cybersecurity & Infrastructure Security Agency, Healthcare and Public Health Sector Coordinating Council, InfraGard, Internet Crime Complaint Center, National Institute of Standards and Technology, and SANS.

The Joint Commission is also always willing to share its winning practices, and it will continue to post cybersecurity guidance and recommendations on its website for public use.

—Adapted from “Repelling Cybersecurity Events,” Healthcare Executive, Patrick Ross, associate director, Federal Relations, The Joint Commission, Oak Brook, Ill.; and Michael DeGraff, director, Enterprise IT Security, The Joint Commission, Oak Brook, Ill.