Whether you’re working within a small practice or a large hospital system with 10,000 users, you need to worry about cybersecurity.
The “bad guys” — the people trying to break into your system — are getting more sophisticated every year. No one can stop every break-in. Instead, IT must keep an eye on how best to reduce the number of breaches and minimize the damage of successful hacks.
Solutions include a combination of available technology, but also point to the need to truly address the human factor in network security.
One of the most prevalent challenges in the healthcare environment is “bring your own device.” With BYOD, employees and contractors who work from multiple locations use their own notebooks and tablets to access information, as do patients and guests who hop onto networks from their devices via patient portals or simply by using hospital Wi-Fi to stream a TV show while in the waiting room.
Today, many more people overall access provider networks. Patients may have visibility into one level of information, while doctors and nurses access different sets of data. Administrative staff, lab employees and even temporary staff and interns also require their own levels of access.
In addition, partner connections to other health systems, payers and at times departments (think PACS systems at another facility a hospital may partner with for radiology at a therapy center), affiliates and subcontractors or acquisitions are all common targets for hackers. If a partner/affiliate has a weaker security posture than a hospital’s security system, and has access to the hospital’s data, the partner is the weakest link.
Laying baselines for secure partner access and security minimums to do business with health systems should be seen as a best practice today. Beyond managing such permissions, IT staff must also ensure that the network is reliable and efficient. Millions of processes run at once, allowing networking technology to enhance not only employee productivity but also patient health and safety.
Hundreds, and maybe thousands of security applications are available to improve healthcare organizations’ network security. Given the risks I’ve laid out here, we see that two solutions in particular have become absolutely necessary:
Multifactor authentication software requires users to submit at least two pieces of information to access a system or network, helping to prove that they are who they say they are, for starters. Beyond entering a name and password, users may be required to type in a personal identification number or answer questions that only they would know the answer to. These layers help organizations to prevent malicious network break-ins and also comply with HIPAA regulations and requirements.
Next-generation firewalls are very popular technology in the healthcare realm. Like their older counterparts, next-gen firewalls help keep intruders out, but they take further steps to constantly monitor applications for data anomalies and inspect data coming in and out of the network. Some firewalls incorporate machine learning technology and can adapt quickly to address new network security situations and stop threats in their tracks before they propagate and take down an entire network.
While a lot of tech is available today to stave off threats, investment in the human factor is perhaps an even more critical defense. The latest firewall may not be able to defend against a malicious link clicked on by a curious staff member, but an educated employee can stop an attack before it begins.
Attacks against healthcare networks increasingly target individual employees and users. Known as phishing, such schemes entice users to click on an email or web link, which then introduce malicious code into the system. This can gum up or destroy systems, help hackers steal data, or even provide a method for hackers to extort money. So-called ransomware attacks are an increasingly common threat in the healthcare community.
Because of the intensity and sophistication of these attacks, the best defense is two-pronged:
From the management side, hospitals and healthcare providers should ensure policies clearly state all requirements for using and sharing data.
From a human resources perspective, every employee should receive regular training that explains how to detect and report potentially malicious attacks.
The bottom line: Even if only 10 percent of a hospital’s staff members actively scout for malware, the overall network and system will be that much safer.
There’s no doubt that cybersecurity today requires the support of a robust network. Detecting malware requires large chunks of computing power to generate and analyze mountains of data and metrics. When combined with the everyday networking needs of hospitals and care providers, it’s easy to see why healthcare networks must be robust, reliable and agile.
Things move quickly in the cybersecurity world. CDW’s recent white paper, “Healthcare Technology and the Patient Journey,” shares more information on how to set up and follow a more comprehensive approach to security, covering not only the technology but also the human factor, which may be the best way to reduce losses and keep patients and employees — and their data — as safe as possible.