With such a broad range of potential security weaknesses, organizations must take a layered approach to IT security.
In today’s connected world, the extent of threats to a healthcare organization’s information technology systems can be vast, ranging from latent vulnerabilities in software to user error. With such a broad range of potential security weaknesses, organizations must take a layered approach to IT security because there is no single, bulletproof method to protect IT systems and the data stored on them. Instead, the best practice is to use your HIPAA security risk assessment process to identify and implement security measures that fit the size and scope of your organization. Below, we outline some leading practices for building effective IT security defenses.
Perimeter defenses
For many years, organizations were able to get by using the basics – firewalls, passwords and annual training sessions – to secure their information systems. Due to the sophisticated tactics and tools being used by threat actors, organizations now must use advanced security measures to safeguard their systems. Examples of key modern defenses include using multi-factor authentication on all internet-facing access points, deploying endpoint monitoring software and implementing advanced password policies (e.g., passphrases, complex 16-character passwords, etc.).
In-network defenses
Even with state-of-the-art perimeter defenses, threat actors can still gain access to IT networks using tactics such as sending sophisticated phishing emails and exploiting software bugs. As a result, organizations must use additional security measures inside their networks to protect their data. Modern safeguards include encrypting PHI and other sensitive data, both during transmission and while at rest in the network. Another effective defense is to outsource data storage to U.S.-based service providers. This allows for the separation of sensitive data from the rest of an organization’s IT systems. It is also critical to back up systems and keep those backups fully segmented from the primary network. In the event of a ransomware attack, a viable set of backups is crucial to avoid having to make a substantial extortion payment to decrypt the network.
Continuous education
Another key to cybersecurity is alerting workforce members to different cyber threats. However, annual training is insufficient to ensure that your employees remain aware of the latest ploys. Organizations should implement regular phishing exercises to test employees’ ability to avoid malicious messages.
Another effective educational tool is conducting a tabletop exercise to simulate an actual cyberattack. The value of this exercise is that it causes an organization to address in advance the difficult decisions it will confront during a ransomware attack. Every organization should consider the challenges it may encounter in setting up alternative workflows when its IT systems are disconnected. Also, organizations often have not thoroughly evaluated under what circumstances they would consider negotiating with a threat actor after a ransomware attack. Simulating an attack helps organizations talk through these and other challenging details in responding to a cyberattack. Planning the response for an attack before it occurs helps to minimize the “fog of war” that typically arises after an attack.
Despite organizations’ best efforts to secure their systems, threat actors evolve and develop new methods to infiltrate even the most well-designed IT networks. To be truly prepared, an organization must be of the mindset that a cyberattack will happen at some point. Accordingly, it should begin thinking and planning proactively to best position itself to respond robustly, recover quickly from an event and mitigate potential harm to the individuals whose data may have been compromised. No one can predict the moment a cyberattack will happen, but any organization can implement the above measures now to prepare to be in the best position to control the fallout.
Patricia A. Markus is a partner with Nelson Mullins Riley & Scarborough LLP. Based in Raleigh, she represents healthcare providers and health technology companies on wide-ranging regulatory compliance, reimbursement, licensure and operational matters.
Brad C. Moody is a partner with Nelson Mullins Riley & Scarborough LLP and co-chair of the firm’s data breach response practice. Based in Jackson, Mississippi, he counsels clients in response to cybersecurity and other data incidents and provides guidance on ensuing governmental investigations and actions.