Headed to RSA in San Francisco? May 6-9 | Join us!

How to Minimize the Risk of Healthcare Cyberattacks

This year, we’ve seen an influx of healthcare cyberattacks where threat actors have stolen large volumes of electronic protected health information (ePHI) and personally identifiable information (PII). It’s a familiar problem: the healthcare sector lost more than $20 billion in 2020 as the result of ransomware attacks alone. Now, the threat level is only rising.  

To protect themselves, healthcare organizations need to implement a robust cybersecurity program. From completing assessments, to partnering with cybersecurity vendors, or updating internal processes, there are specific actions healthcare organizations should pursue to minimize their risk of a cyberattack. 

In this blog, we’ll detail which steps healthcare organizations can take to help bolster their internal defenses. 

Focus on Strengthening Internal Resources 

Even more important than finding strong partners is creating a strong security structure within your own organization. To do so, begin by appointing a security officer and a privacy officer. The individuals in these roles should develop and document security and privacy policies, standards, and procedures to ensure all personnel are aware of their responsibilities. As can be said for all important guidelines, every employee should have easy access to this information.  

An internal security committee composed of stakeholders from all departments across the organization should also be established. By making sure every branch has a representative present, organizations can more easily identify cross-departmental vulnerabilities.  

The goal of the committee is to perform a risk assessment and develop controls to mitigate risk to an acceptable level. Some of those controls include: 

  • Installing endpoint protection on all company devices and servers. 
  • Implementing media and mobile device policies and encrypting data at rest.  
  • Enforcing a strong WPA AES-256 encryption policy for all wireless networks. 
  • Adopting Open Web Application Security Project (OWASP) level security when developing applications and deploying changes. The Committee must patch all systems periodically to ensure they are operating under the best practices.  
  • Installing security information and event management (SIEM) tools to detect and monitor all activities within the network. 
  • Ensuring the organization has put an Incident Response Plan in place, along with testing the plan on an annual basis.  

On a broader level, there are certain actions that all employees at healthcare organizations should take to aid in security efforts. These include completing a comprehensive security awareness and HIPAA training on an annual basis, ensuring all of the software they use is up to date, and reading and acknowledging their organization’s Acceptable Use Policy. 

Partner With Vendors Who Can Mitigate Risk During Healthcare Cyberattacks 

In addition to pursuing audits and assessments, healthcare organizations should seek out partnerships with vendors who specialize in cybersecurity services. 

While most organizations likely already have a dedicated IT team, they should still maintain a relationship with a breach forensic firm. Not only will a firm help an organization identify and report breaches in a timely manner, but they will also make sure the organization stays in accordance with all of the compliance standards they follow, such as the HIPAA breach notification law.  

Additionally, organizations should make sure they have a cyber insurance plan in place. As there is no framework or guideline that can 100% eliminate the possibility of a cyberattack, having an insurance policy will minimize the amount an organization would have to pay if a breach should occur.  

Focus on Compliance and Security Assessments  

There are several security compliance assessments unique to healthcare organizations that can help ensure information remains private and protected. For organizations that store, process, or transmit, ePHI, HIPAA compliance is a must. HIPAA is a U.S. law that was enacted to protect sensitive patient data. For organizations that are uncertain if they are currently HIPAA compliant, a third-party organization like A-LIGN can review current safeguards in place and identify areas where organizations can enhance their information security program. A-LIGN’s audit experts created A-SCEND’s HIPAA Readiness Assessment– the only SaaS compliance management solution that includes live auditor assistance, making it a fast and easy way to achieve HIPAA compliance. 

The most reliable ways on demonstrating HIPAA compliance is by using the HITRUST CSF to perform a certification or by using the AICPA Trust Services Criteria to perform a SOC 2+HIPAA Attestation.  

Healthcare organizations should also complete an organization-level Enterprise Risk Assessment. This assessment identifies all the critical assets of the organization, determines the threats to those assets, and ranks the risks based on the probability and impact of an asset being compromised. It’s a key step in identifying threats and implementing controls to mitigate risk.  

Another great, proactive way to protect data and mitigate risk is to conduct a penetration test. These tests simulate a network attack and illustrate how your organization would respond. It’s a great way to identify gaps in your security infrastructure and fix them before a bad actor takes advantage. 

How Organizations Can Act Now  

Throughout 2022, threat actors will likely still view healthcare cyberattacks as a worthy endeavor — especially small and mid-sized providers and their associates. To minimize the risk of healthcare cyberattacks, organizations should look to pursue relevant audits and adhere to compliance standards, partner with organizations who can assist during incidents, and bolster internal resources via key hires or the development of a dedicated security committee.  

Ready to dive in? Reach out to A-LIGN to review your HIPAA compliance or complete a HITRUST audit.