Tips to Prevent Cyberattacks
Cybercrime prevention requires a plan for how to back up data, assess a system for vulnerabilities, manage cybersecurity, and handle regulatory and legal repercussions should a breach occur.
“Take a proactive approach. Monitor logs, look at vulnerabilities, and watch for trends over time,” suggests Dan L. Dodson, president of Fortified Health Security.
“First, you need an understanding of potential vulnerabilities within your environment and the potential exploitability of those,” Dodson explains.
For instance, an ASC might use old technology that prevents it from deploying a security patch, he says. “You have to plan around how to navigate that risk, and one way is by monitoring it.”
Cybersecurity monitoring can detect actions that indicate someone is trying to breach the system. Monitors would note that at midnight, someone tried to change the admin login or enter an admin password dozens of times.
“That’s not normal, and if one of our analysts picked up on that, we would call the client and say, ‘Did you get a new admin and upgrade the system last night?’” he says.
Without monitoring the system for breaches, an organization might never know about a security problem.
Another tactic is to invest in adequate backup for the computer system and files. This should be part of a HIPAA risk assessment, says F. Paul Greene, Esq., chair of the privacy and data security practice group at Harter Secrest & Emery.
“This should be part of your HIPAA risk assessment — to look at data and the systems and assess how often it has to be backed up,” Greene says.
If a surgery center saves its data every day, then a breach or ransomware attack would result in a limited amount of data loss.
Finally, if a site has been the victim of a ransomware attack, keep in mind that the attack is just the beginning of the problem, Greene says.
“You must have policies and procedures in place to comply with HIPAA obligations and state laws, and everything down to the local level. New York City has data security laws on the books,” he explains. “It’s an incredible patchwork you have to navigate when you have a breach.”
Besides the legal issues that arise with a ransomware attack, there also is the additional cyber risk. Once a healthcare organization becomes the victim of a successful attack and pays the ransom, they’re going to be attacked again. Plus, the decryption key does not work instantly. It can take days to regain access to data after paying the ransom and obtaining the key, Greene warns.
Healthcare organizations that lack an adequate risk management plan for cyber threats could be vulnerable if a breach occurs and the facility is investigated by the Office of Civil Rights, Dodson notes.
“The way they run their assessments is they don’t hold a small [ASC] to the same standards as a hospital,” he explains. “They’ll compare the reasonableness of its plan to its peer group. But the answer cannot be, ‘We have not done an assessment.’”
One of the biggest challenges an ASC might experience in addressing cyber threats involves educating staff about cybersecurity and how they can prevent threats, Dodson says.
“The best advice I can give people is it is top-down. Everybody, from the CEO to management, has to be aware of this and focused on educating their employees,” he says.
There is affordable technology that can fake a phishing campaign and highlight which departments and/or staff need additional education, Dodson says. “Really being proactive is the best defense for that.”
Cybercrime prevention requires a plan for how to back up data, assess a system for vulnerabilities, manage cybersecurity, and handle regulatory and legal repercussions should a breach occur.
Subscribe Now for Access
You have reached your article limit for the month. We hope you found our articles both enjoyable and insightful. For information on new subscriptions, product trials, alternative billing arrangements or group and site discounts please call 800-688-2421. We look forward to having you as a long-term member of the Relias Media community.