Why security basics are the key in safeguarding data
Security professionals instinctively may seek sophisticated tools to bolster protection, but they often don’t have the staff to implement them. It’s time to go basic.
Healthcare has seen a lot of alarming but not surprising headlines in the first half of 2024, as some of the largest cyberattacks in the industry’s history have had severe operational, financial and legal effects.
Organizations that are not resilient may find the ability to return to normal operations daunting and potentially crippling while responding to and recovering from a cyberattack. In most cases, the reaction is to reach for the latest, most sophisticated and, often, the most expensive solutions. These strategies will still fall short if the basics are not covered and built as the foundation of an organization’s security program.
First, master the obvious
The absence of a basic control – multi-factor authentication (MFA) – left Change Healthcare vulnerable to a cyberattack. And while Change is one of the most recent examples, there are many similar stories.
So, before searching for the latest cybersecurity technology, first ensure that the basics are in place. The building blocks of a good cybersecurity strategy are still the most critical to protecting an organization from hackers. These seemingly “old” or “mundane” best practices should be the foundation before more technology is added on top of it.
In fact, CISOs and CIOs often lament that they have more technology than they have FTEs to own and manage it, leaving them with significant investments in technology with little return. It’s not because the technology can’t deliver the ROI, but because without someone to help manage and optimize the use of technology, it’s likely to sit in the “junk drawer” of other strategies that didn’t pan out.
In light of this, the following cybersecurity basics should be the first areas of focus for an organization to minimize vulnerabilities.
Risk analysis
This is critical, not only because it’s required by the HIPAA Security Rule but also because it’s the most fundamental building block to effective cybersecurity and compliance. Organizations continue to struggle with performing ongoing risk analysis on all the systems that store, process or transmit protected health information, and they often lack the ability to demonstrate proper risk response to address known risks.
In fact, 90 percent of OCR enforcement actions regarding electronic personal health information (ePHI) cited failure to complete a thorough and comprehensive risk analysis. This includes lacking required details, not being comprehensive enough, not following OCR guidance and not providing adequate documentation or evidence.
So security officers need to start here and ensure that risk analyses include a complete information asset inventory, thus making sure that basic controls don’t get overlooked.
Business impact analysis
Business impact analysis is a predecessor to the next category on this list – incident response planning. It gives an organization visibility into critical business functions, processes and the resources on which they depend.
It also helps quantify the impact incursions may have on an organization in various scenarios. For example, if payroll goes down, it’s not great, but it doesn’t have an immediate impact on patient safety. However, if the electronic medical records system goes down, patient outcomes are at risk. Both are critical functions of the business; both should be accounted for in disaster recovery and incident response plans.
Incident response planning
Incident response planning includes incident response rehearsal. When it comes to responding to a cyber incident, timing is everything, and what will already be a stressful situation will be made more stressful by a plan that was documented and then forgotten.
In light of the current threat landscape in healthcare and the prevalence of cyberattacks, healthcare organizations must shift their mindsets from doing something once or annually to regularly reviewing and practicing their plans.
Detection, response and vulnerability management
An estimated 80 percent of ransomware attacks take place outside normal business hours, and the ransomware itself is at the end of the attack chain. Anyone reading the ransom note can expect that user accounts have already been stolen, vulnerabilities were exploited, a cybercriminal went undetected on a network, and data was exfiltrated.
Having effective threat detection and response can prevent the attacker from freely operating on a network, and utilizing timely and effective patching can prevent the attacker from gaining access altogether or deploying the payloads used to ransom data.
Many of today’s attacks can be prevented with formal and effective vulnerability and patching programs, fortified by adequate threat detection and response.
Workforce training
Healthcare organizations’ employees continue to be targets of an attack, with the attackers’ common objective to steal credentials or deliver malicious payloads used to ransom data.
Attackers are deploying rapidly evolving social engineering tactics that are sophisticated and convincing. Workforce training and awareness are paramount to protecting an organization and its data.
It’s paramount for security executives to provide continuous security awareness and training at all levels of the organization so everyone knows what to look for, how to respond and who to call in the event they suspect foul play.
Dave Bailey is vice president of security services at Clearwater.