Cybersecurity recommendations for healthcare that won't break the bank

A closer look at HICP

HICP identifies five major cybersecurity threats healthcare organizations face. It also highlights 10 main cybersecurity tools and practices that a healthcare organization should use regardless of size. They include:

• Email protection systems
• Endpoint protection systems
• Access management
• Data protection and loss prevention
• Asset management
• Network management
• Vulnerability management
• Incident response
• Medical device security
• Cybersecurity polices

HICP breaks down how healthcare organizations can approach and implement cybersecurity recommendations by the size of the healthcare organization. The HICP guidelines make cybersecurity recommendations based on available resources or lack thereof.

Erik Decker

"Something that was very important through the whole process was we had a good mix that covered the provider community, the smalls, the mediums and the larges," said Erik Decker, chief security and privacy officer at University of Chicago Medicine and one of the main authors of the HICP guidelines. "We made sure that those voices were heard through the whole process so we weren't dominating it with the big players who have all the resources and money and people to handle all of the security stuff."  

The task force took into account that smaller healthcare organizations often lack the resources of larger organizations for security initiatives, according to Decker. Making sure there were cybersecurity recommendations that even smaller organizations could implement was a crucial part of the guidelines, he said.

Three cybersecurity recommendations

While Decker recommended healthcare CIOs or other leaders in charge of security at smaller organizations read through the first 30 pages of HICP to get an understanding of how to implement good healthcare cybersecurity practices, he also provided a handful of tips for getting started:

1. Follow assessment methodology

Decker suggested small healthcare organizations use the task group's recommended methodology to determine where and how they can start implementing healthcare cybersecurity practices. The methodology includes an Excel toolkit that enables organizations to prioritize the five threats: attacks against connected medical devices, loss or theft of equipment or data, email phishing attacks, ransomware attacks and insider, accidental or intentional data loss. The toolkit can help to indicate what cybersecurity best practice the organization should start with.

For example, if a healthcare organization rates phishing and ransomware as its biggest concerns, the toolkit will suggest email protection, such as flagging email messages from outside the organization as external or installing antivirus tools, as top cybersecurity recommendations.

Decker said the toolkit isn't available online yet, but organizations can reach out to the U.S. Department of Health and Human Services to receive it.

2. Education and phishing simulations

The biggest cybersecurity threat smaller organizations face is likely a phishing-related attack. One way to combat phishing attacks is education and phishing simulations where IT tests the staff by "phishing your own people," Decker said. Phishing simulations use cheap, cloud-based tools to capture data and issue a report on who clicked the phishing link and who provided credentials. The program then offers training to those who fell prey to the simulation. Based on his experience at University of Chicago Medicine, Decker said phishing simulations work to decrease susceptibility. And, by making it a game rather than a punitive-type metric, the staff is more responsive to his efforts.

"When I walk through the halls of the medical center, I get people stopping me on the way saying, 'You didn't get me this time, Decker.' And I'm like, 'hey, great, I'm glad,'" he said.

3. The internet is "dirty," so follow basic cyber hygiene rules

Decker described the internet as a dirty landscape. If a healthcare organization connects its computers to the network without safety precautions in place, an attack is inevitable, he said. It's important that healthcare organizations get past the "it's not going to happen to me" thinking. Healthcare CIOs need to find ways to install and maintain basic cybersecurity measures, such as having firewalls, encryption and properly secured medical devices, according to Decker.

"You wouldn't walk into a dirty bathroom with an open gash. That would be gross because it's highly likely to be infected," he said. "It's the same thing."