Is your organization prepared to handle a cyber attack?
When thinking of emergency preparedness, we tend think of dangers like bioterrorism, natural disasters, and pandemic influenza. Although those are all valid concerns, preparedness shouldn’t stop there. In fact, it may be time for many organizations to shift their focus and raise awareness about cyberattacks.
Cyberattacks threaten health systems and other institutions. Consequences range from identity theft, to intellectual property theft, to HIPAA violations, which often result from cyber criminals sending e-mails with content that, once opened by the recipient, compromises information by corrupting files or denying access.
Preparation for a cyberattack is imperative, particularly for large health systems. Results of an IBM study showed that health care organizations have surpassed banks as the most attacked institutions, pegging 2015 as “the year of the health care breach.”
Preparing for these events as we would for other disasters ensures proactivity and quick and effective response.
Where to Begin?
Successful response results from adequate preparedness. Both depend on the smallest entity, which is the individual.
Staff is responsible for 80% of security-related incidents. That statistic alone should be enough encouragement for employers to prioritize training.
Ideally, staff members will:
· Complete training before getting access to company equipment and networks. An understanding of company policy and basic network safety is crucial.
· Understand the importance of passwords. Eight-character passwords that avoid dictionary terms are most secure, and multifactor authentication involving 2 separate methods is recommended.
· Know how to recognize and report suspicious e-mails and occurrences.
Information Technology (IT)
The IT team is responsible for the installation, support, and management of the systems we use.
It’s also responsible for maintaining up-to-date software and equipment that aligns with industry standards.
Some proactive IT measures include:
· Monitoring network traffic for anomalous activity. Staff sets a baseline for standard traffic in the network and monitors any strays from that normal behavior.
· Implementing a zero trust model. There are no trusted zones in a network, and properly segmenting it blocks methodologies like advanced persistent threats.
· Performing periodic penetration tests to find points of vulnerability. This is akin to safety drills for other disasters.
· Performing proper patch management. Manufacturers regularly release security patches meant to cover newly discovered holes in software.
Preparedness for Response
IT security staff will initiate a system-wide response once alerted to an attack. As with any disaster, an emergency kit is only prudent.
A disaster supply for attempted cybercrime can include protected equipment on a separate network known as a disaster recovery site. Any data essential to business continuity should be backed up to that site. As with any disaster kit, the team should check it routinely to update and back up new data.
Is Your Organization Prepared?
That depends on how you’d answer many questions, including:
What would happen if your entire network were compromised right now?
Could you access critical data?
In what amount of time could you restore operations?
Security is an evolving field with cyber criminals using different attack vectors to access internal resources. The threat landscape is constantly changing, and a solution that protected a system 3 years ago won’t provide sufficient protection today. This stresses the need for a serious look at organizations’ cybersecurity and response to threats.
It’s true that it’s the IT staff’s job to minimize the attack surface and ensure that the network can’t be compromised, but it’s health care leaders’ job to recognize the importance of a properly managed system, and it’s the staff’s job to follow procedures and protocols.
Like other emergency preparedness, cybersecurity needs to start at individual users and extend throughout a well-organized system led by those who appreciate its importance.