To avoid a ransomware attack, put together a holistic cybersecurity program that fits your budget and addresses your highest areas of risk, suggests Ellen M. Derrico, MBA, a marketing/market development executive in healthcare and life science technologies and an independent consultant in West Chester, PA.
“If it is your people, focus on education and training,” she says. “Keep it simple, fun, and low cost, but make it effective.”
Phil Alexander, information security officer and director of information security at UMC Health System in Lubbock, TX, runs a competition on phishing and publishes the results in a Phish Market newsletter. IT security staff create phishing emails and send them to staff from what appears to be outside email addresses. They are “trying to look as legitimate as possible to see who they catch,” Derrico says.
The staff monitor who clicks on the links. Those who do not click end up in the Phish Market, and they also receive a T-shirt, Derrico says. “The competition has raised the visibility of phishing, the most popular way of infecting devices and getting ransomware into a network,” Derrico says. “It has also reduced phishing success by over 70% and increased the clinician satisfaction with IT by 88%.”
Alexander also runs a competition mimicking the characters in the “Men in Black” movie who are in search of “aliens,” which are suspicious downloads and USBs, infected devices, and other items. “When someone calls his department or emails to report something suspicious — an alien — he and his team show up dressed like the ‘Men in Black’ and give out a toy alien to put next to the computer or other infected device,” Derrico says. “The clinicians really seem to love it, and his department has earned their support and trust.”
More than 80% of cyberattacks can be attributed to human error or human involvement, according to The Doctors Company, in a just-released cybersecurity guide.1 “Provide ongoing security awareness for all employees,” the guide says. “Train staff members to avoid downloading, clicking on links, or running unknown USBs on computer systems.”
Make sure your policies and procedures for mobile and medical devices are robust, Derrico says. For example, perform an audit of your devices, including mobile and medical devices, she says. “Make sure all devices have the most current version of software, operating systems, and apps installed to prevent attacks/be most current,” Derrico says. “Talk with your vendors of mobile and medical devices to identify vulnerabilities … and work toward fixing these vulnerabilities or replacing your devices with newer, more robust devices.”
Your firmware should be up to date, Derrico says. Firmware is a software program or instructions that explain how the device communicates with other computer hardware. Also, ensure you can quickly quarantine an infected device, Derrico says.
“Make sure sensitive data are encrypted and access is well-managed, restricted, where need be, and governed,” she says. “The bottom line: Know where you stand, and be ready to make the right investments in security.”
If you don’t have your own IT staff, consider engaging an outside technology/IT expert who performs upgrades, tests the system for vulnerability, and is available to rapidly respond should a problem occur, suggests Mark Mayo, CASC, the ASC administrator at Chicago Surgical Clinic in Arlington Heights, IL. “This way, your expert is already familiar with your system, its architecture, and the programs you routinely run,” Mayo says.
Draft a written incident response plan for cyberthreats, and update these plans regularly, says Erik Rasmussen, JD, cyber practice leader with Kroll’s Cyber Security and Investigations practice, based in the company’s Los Angeles office. “Facilities should conduct simulated attacks, and we suggest using the tabletop exercise model to learn from these scenarios,” Rasmussen says.
If the highest area of risk is technology, use penetration testing, also called pen testing, to identify the weakest links that need to be fixed, Derrico suggests. These pen tests can be automated with software applications, or they can be performed manually. “In addition to being ready for it, surgery centers need to lobby hard for resources — money and people — to provide technology, training, and expertise on vulnerability testing and on security,” Derrico says, “So get your C-suite involved, help educate them on the cost, the need, and the benefits, including mitigating risk of an attack and preventing the cost of the attack and compliance violations.”
REFERENCE
- The Doctors Company. Cybersecurity and data breaches. Strategies to mitigate risk, monitor security, and respond in the event of a cyberattack. August 2016. Accessed at http://bit.ly/2bSCiCk.
