COPIC Comment: Back to the basics: Cyber risks
Tips to prepare your organization for emerging digital threats
In May, we were reminded of the cyber vulnerabilities that exist when a worldwide ransomware attack – referred to as WannaCry – infected more than 230,000 computers in over 150 countries. Hackers used a security flaw in Microsoft Windows to gain access to systems, and then they encrypted data files and demanded a “ransom” from users in bitcoins (a digital currency system).
Security experts were able to address WannaCry quickly, but these types of attacks are becoming more common and health care remains a key target. BakerHostetler, a national law firm that focuses on cyber legal issues, recently published its Third Annual Data Security Incident Response Report. The following are highlights from the report’s “Basics to Minimize Risk,” a set of best practices on how to prepare and respond to cyber risks.
Increase awareness of cyber security issues
Employees should be aware of cyber risks and threats so they are informed on how to prevent and mitigate an incident. Organizations should proactively train employees on phishing and other social engineering threats. COPIC offers seminars and other resources to help educate insureds on this topic, and another great source of information is www.healthit.gov, a website overseen by the Office of the National Coordinator for Health Information Technology that provides EHR and mobile device security tips, training modules and videos, and a security risk assessment tool.
Identify and implement basic security measures
The following are top preventative measures a company can take to address vulnerabilities:
- Use multi-factor authentication for remote access to any part of the company’s network or data (i.e., email platforms like Outlook).
- Maintain a patch management system to ensure critical software patches are installed promptly.
- Remove admin rights from normal users and limit the number of admin accounts.
- Install a web proxy to block access to untrusted websites.
- Conduct periodic vulnerability scans and penetration tests to help improve the security of your network and systems.
Build business continuity into your incident response plan
Having data and systems unavailable can shut down an organization’s primary operations (i.e., patient information systems) and key questions the BakerHostetler report suggests to consider are:
- Have you conducted a business impact analysis to identify the most critical systems and downtime impact?
- What are the systems backup procedures?
- How often are the full systems backed up?
- Where are the backups stored, and for how long?
- What are the procedures for restoring systems and testing them to ensure functionality?
Manage your vendors
Many vendors have some type of access to an organization’s systems and networks, and the vendor’s cybersecurity practices might not be up to snuff. Take these into consideration when engaging vendors who access, process or store sensitive information:
- Do they have an incident response plan and will they share it?
- Do both parties understand the information (and level of sensitivity) being given?
- Are the business associate agreements compliant under HIPAA? (if applicable)
- How are you monitoring your vendors during the relationship?
- Do you have a questionnaire or checklist to gauge the vendor’s information security practices and controls?
- Are there notification provisions in the agreement in the event of an incident to address required notice and who bears the financial responsibility?
Cyber risks have created a new area of focus for medical professionals that requires ongoing education and heightened awareness. Managing these risks is challenging and not an easy task for medical practices. Therefore, COPIC continues to look at resources to help our insureds implement best practices and adequately prepare. It’s another way we are dedicated to providing trusted guidance and support as technology influences the ways health care evolves.
Posted in: Colorado Medicine