IT especially cybersecurity is not your department. Why should you make this your problem? The answer is simple: because the next security breach could be your fault. There’s no malice in that; it’s simply a fact of life. Incidents that originate with hackers are in the minority.
- Most data breaches are due to carelessness or simple mistakes.
- So what can you do to prevent data breaches in your organization?
I recommend that every company look for a K9 Cybersecurity blog that is specific to their industry. While it can be interesting to learn what’s going on in healthcare, if you’re trying to protect a financial services company, not all of the posts will be relevant. I suggest reading all about your issues first. Of course, a comprehensive knowledge is required, but knowing about specific attacks and threats to your business is paramount.
Access control
Just as important as how people access your system is who accesses it. We hope you wouldn’t let any random patient from the ER walk freely through the hallways. (Although we all know there are still hospitals where you can walk right from the front door into the OR without once showing ID or turning over a key).
So make sure that the people who have access to your areas do. This may seem self-explanatory, but think about how many rooms you can get into with your keys. Are there computers or tablets in those rooms?
And that’s just the simplest form of access. At the cybersecurity level, different people should have access to different types of provider and patient data. And each of those levels of access should be password protected.
Think about your employees for a moment. You probably know one of their passwords. How many people know yours?
Create strong passwords
Every site has different (annoying) requirements for their passwords. Upper case letters, lower case letters, punctuation – but not the punctuation – and so on. So you probably have a few variations of the same password that you use everywhere.
Doesn’t that make it easier for someone who has access to your password in one place to guess it everywhere?
You know who uses the same password for everything? The manufacturers. Everything they ship that requires a password starts with a default password. So what happens if a hacker can figure out the default password for an MRI machine connected to the Internet? The hacker can get into any MRI machine that is connected to the Internet.
Unless the hospital changed the default password as soon as the device was purchased.
Understand what you have
Speaking of devices that are connected to the Internet: What do you know about the Internet of Things? Every device in your hospitals that is connected to the Internet needs to be secure.
And notice we didn’t say “every device you bring into your hospitals.” Every laptop and iPad – even every pacemaker connected to the Internet – that comes through your doors opens the door for a security breach.
Make sure you have individual passwords and network connections for all Internet-connected devices, and monitor what users are doing over those connections.
Update your technology
This point is pretty straightforward. The older a system is, the more vulnerable it is. Technologies developed a year ago have fewer protections than those coming out today, and the further back you go, the more time hackers have had to figure out how to break through those protections.
In the 1980s, there was a documentary about a teenager who almost started World War III with a relatively primitive computer. Imagine what today’s hackers could do with those old systems.
Prepare for the worst.
Something bad is going to happen. Sorry, it just will. As soon as a security breach is discovered-whether it’s a thief leaving the hospital with a laptop or an employee accessing patient data over the Internet at McDonald’s-the breach needs to be reported.
Your organization needs a plan for dealing with security breaches. And this doesn’t rest on your shoulders alone. Discuss it with IT, the employees you report to, and the employees who report to you. Figure out the best way to acknowledge a data breach and what steps to take in response.
It doesn’t have to be your fault if the wrong people get their hands on your company’s – or your patients’ – data. But if you don’t take steps to strengthen your cybersecurity, it will be.