2. Conduct a vulnerability assessment
Many physician practices have not taken the critical step of conducting regular vulnerability assessments because they believe their organization is too small to attract an attacker. But not knowing your vulnerabilities can hurt you, as both large and small organizations are exploited continually.
A comprehensive assessment will simulate potential attacks and test infrastructures to identify weaknesses and risks. That gives practices a complete picture of their environment from an attacker’s perspective.
Quarterly vulnerability assessments are recommended not only to test for new risks, but also to ensure that previous issues were fully remediated. When deployed properly, these analyses should provide practices with information on which devices and applications are vulnerable along with possible risks. It’s important that all key stakeholders come away from these assessments with a full understanding of each vulnerability, its perceived risk level and its potential solution.
In addition to vulnerability assessments, a penetration test should be conducted annually. This technique produces a more in-depth examination of security controls by employing a cybersecurity professional to conduct a “test hack” by attempting to find ways to breach an organization’s network system.
3. Remediate your vulnerabilities wisely
Once a practice’s weaknesses are identified, the next step is remediation. Far too often, healthcare organizations make less-than-optimal choices because they react out of fear or they choose the most affordable solution as a band aid approach.
It’s understandable on one level. Most small- to mid-sized physician practices are not in a position to purchase an expensive and comprehensive cybersecurity platform to address every angle of the security landscape.
A better approach begins with understanding that there is no cookie-cutter solution to cybersecurity. More than ever, healthcare executives, owners and administrators need customized strategies that provide practice-specific tools and filter out unnecessary elements that can keep physician practices from addressing their own unique security situations.
The right partner can help you identify where to start by focusing on priority areas that represent the most bang for your cybersecurity buck. Perhaps the first goal is optimizing firewall management. Or, perhaps the greatest need is stronger security of appliances and devices such as phone systems, Wi-Fi, email gateways or network access control. Expert guidance is critical to defining and developing a practice’s cybersecurity strategies at the right time and with the right tools to minimize the potential for breach and ensure the most cost-effective solution.
Physician practices face unprecedented demands on their time and resources. While current trends demand that organizations prioritize cybersecurity, it’s important to remember that the best approach does not generally take a linear path.
Sean Nobles is president of NaviSec, a veteran-owned IT security firm. He holds OSCP, NSE4 and CCNP certifications in network security and has spent more than 20 years in the service provider, military, financial services, value added reseller and call center industries. He is a combat veteran of the U.S. Marine Corps.