Three Cybersecurity Blunders Putting Your Hospital at Risk

Malicious cyber threats and hacking techniques are constantly evolving with the healthcare industry as a lucrative target. Arm your organization and its patient data by strategically addressing these three common cybersecurity flaws.

  1. Employee behavior - Daily employee behavior on company computers, devices and networks puts organizations at extreme risk. A new survey from Spanning Cloud Apps found that 55 percent of employees regularly click on links that they do not recognize. Similarly, 45 percent said they let their colleagues use their work computers, while 35 percent of respondents blindly browse ecommerce sites at work without being able to identify unsecure sites.

    To strengthen employee cybersecurity behavioral defenses, conduct regular phishing email demonstration tests to show how many and which employees fail to recognize suspicious links. Ensure that these workers gain quick follow-up educational material, while distributing an overall employee cybersecurity electronic handbook with screen shot visual examples. Maintain a log of email links, call-to-actions, formats and images used in phishing attempts against the organization. Enforce a top-down culture of cybersecurity best practices to make sure that all employees at any level recognize the risks and respect their roles in protecting the hospital or health system from cyber threats.

  2. Vendor and device vulnerabilities - When was the last time all medical devices were logged for age, version, support protocol and upgrades? Are there any devices that are no longer actively utilized that still put the organization at risk? New cybersecurity reports show that hackers are now using medical device error messages to gain insight and access into hospitals' security vulnerabilities. With device and software vendors, ensure that security risk assessments evaluate vendors' potential threats to electronic private health information (ePHI), noting procedural steps and documentation to resolve those risks. Verify that vendors' written information security policies align with your organization with documented disaster recovery plans and role-based access to your data enforced.

  3. No follow-up plans - Many healthcare organizations, especially community and rural hospitals and private physician practices, fail to arm their facilities with cybersecurity response plans. Without a response plan, clinical care and operational effectiveness may be hindered, while additional human errors may pile up as an emotional response to a cyber attack. For those organizations with plans, when were they last reviewed and tested? Without scenario-based testing, there is no proof of concept, which means that follow-up workflow or protocol issues cannot be identified and solved. Verify response plans with an external review to identify gaps and make recommendations with cybersecurity best practices.

By tackling these three risk areas, you can strengthen a strategic defense of your organization's private patient data and IT intricacies to safeguard smooth daily operations and clinical care.

Check back with Stoltenberg for additional health IT insight.