One of the biggest worries hospices face today is the threat of a cyberattack. The healthcare industry is a prime target for cybercriminals due to the sensitivity of the data stored and the critical need to maintain business continuity in the event of an attack. While TCN members are most likely not going to experience a ransomware situation, there are other threats that could result in a breach of patient information, loss of data, or significant interruption of mission-critical services.
Okay, now that I have your attention, let’s look at some important protections you could implement now to mitigate your risk of a cyberattack.
The Threat: Cyberattack Causing Interruption of Service to Your Patients
The Risk Mitigation:
- Phishing is the most common cyber threat seen in healthcare. It usually occurs through email where an email is infected with a malicious link, and someone (yes, even one person) opens it and launches the attack. These emails can look very convincing, often appearing to come from a regulatory or governmental organization. Guard against phishing attempts by implementing a staff training program, including phishing exercises, to raise staff awareness about the risk of visiting suspicious websites, clicking on suspicious links, and opening suspicious attachments
- Implement Multi-Factor Authentication (MFA). This is something most people are now familiar with as they are experiencing this when logging into many commonly used applications like banking, social media, shopping, etc. This simply involves requiring a second “factor” in addition to a password when the user is logging into an account. Since passwords can be difficult to remember, people tend to use the same ones over and over at many different sites. MFA is one of the simplest and most valuable security controls an organization can implement. I’ve seen estimates that almost 90% of cyberattacks could have been prevented had MFA been in place.
- Install and regularly update antivirus and anti-malware software on all hosts. Hospices often rely on vendors to host their software and secure their data. It is common that the vendor’s security policies are unknown to the hospice organization. Require vendors to provide visibility into their security practices, and risk assessments, and periodically audit vendor user accounts to ensure appropriate vendor access. Likewise, ensure all servers and devices you manage have updated antivirus and anti-malware software.
Unfortunately, there is a high probability that your organization or your software vendor will experience some type of cyberattack at some point. It’s important to assume the worst and plan for it by documenting a comprehensive Business Continuity Plan and conducting periodic table-top exercises to test the effectiveness and viability of the plan. A business continuity plan assumes interruption of mission-critical services and outlines, in detail, the roles and responsibilities, processes, and communication strategies the organization will launch in such a situation. Experts say there are four steps to developing the plan.
- Prepare a business impact analysis by identifying mission-critical functions and processes and the technical and human resources required to support the continuation of these functions.
- Identify and document the steps that would be needed to recover these critical functions and processes. This may require collaboration with software vendors.
- Organize a cross-functional Business Continuity Team to document the plan.
- Conduct training for the Business Continuity Plan and organized testing and tabletop exercises to evaluate both recovery strategies as well as the plan.
I’ve participated in a few table-top exercises based upon scenarios where mission-critical systems are completely down for an extended period of time. While nobody wants to think about that, thinking about it and focusing on each area of the organization and its role in maintaining patient services is truly valuable, and eye-opening.
TCN highly recommends embarking on this journey. Please reach out to me should you want to discuss your opportunities and challenges in this area.
Chief Information Officer
WANT TO IMPROVE YOUR LEADERSHIP SKILLS?
ATTEND OUR LEADERSHIP IMMERSION
LEARN MORE
An organizational model that allows not-for-profit hospices (Members) to leverage best practices, achieve economies of scale and collaborate in ways that better prepare each agency to participate in emerging alternative payment models and advance their charitable missions.