6 Tips to Cultivate a Security Culture in Your Healthcare Organization

For the eleventh consecutive year, the cost to identify and remediate a data breach in healthcare far outpaced every other industry with an average cost of $9.23 million in 2021. That’s a 30% year-over-year increase and 60% more than the second-ranked industry. Additionally, the time to find and contain a breach topped nine-and-a-half months.

Technology in healthcare delivers numerous benefits, including coordinated care and the ability to accept payments quickly and easily from federal payers, private health plans and patients. Technology isn’t going anywhere, so hospitals, health systems, ancillary facilities and providers must improve the ways they protect patient information and the integrity of healthcare technologies at every electronic intersection.

For hospitals and health systems to best understand, manage and avoid potential threats, they must enable their teams with cybersecurity knowledge and best practices for prevention.

These six tips will help cultivate a security culture within your organization and empower your staff to protect themselves and the organization.

1. Perform a Risk Analysis

Before focusing on security measures, organizations must first determine where and how potential breaches can happen. Risk analysis helps identify the data, resources and systems that are vulnerable to cybercriminals. Don’t underestimate this task, especially as it is required by the Health Insurance Portability and Accountability Act. Consider hiring a third party to conduct the initial analysis.

Performing a risk analysis is a complex undertaking that should be tailored to your environment. At a high level, consider all network resources, note how information moves throughout the network, the parts of the network that are accessed, and the departments within your organization and vendors with access to network information and resources. Don’t forget cloud and offsite network resources.

Once complete, determine the likelihood of compromise from each resource, and list and rank all potential threats in terms of financial and reputational risk. Use this inventory to help develop the cybersecurity protocols to defend your organization and its data. Finally, update the risk assessment regularly as your organization grows and as processes evolve.

2. Control Access to Protected Information

After risk analysis identifies the departments and other parties that access the network, you should pinpoint precisely who has access to what classifications and, more importantly, who should have access to that data.

It is critical to understand who has access to protected health information and financial data to know where exactly to concentrate protection efforts. Establish protocols to help staff best determine and understand what data is shareable, what communication methods can be used to share that data, and who within and outside of your organization can receive this protected information.

Take your information access protections a step further by setting file access permissions and establishing role and team-based access control, so cybercriminals have fewer potential points of access to that data.

3. Encourage Strong Password Creation

Onsite and remote staff must secure their devices with strong passwords that can slow the actions of potential hackers. When paired with access controls, strong passwords can help prevent exposing information and potential misuse for staff who have no job-related need to access it.

Many companies enforce criteria to promote strong passwords. If yours does not, encourage passwords that are at least eight or more characters long, a combination of lowercase and uppercase letters, numbers and symbols that do not include any personal information or common words from the dictionary. Be sure to urge regular password updates if they are not scheduled within your systems. Remind staff not to share individual password and access information with anyone — and never write down a password where it can be viewed by someone else.

4. Secure Devices and Systems

Desktop passwords are only effective when the devices they are being used to secure are effectively locked. Another easy way to physically protect devices is to encourage staff to lock computer screens whenever they step away. Wherever they work (onsite or remotely), this simple act creates a barrier between machines and potential threats that may exist within an employee’s physical environment.

Often, software and operating systems require updates to address maintenance and security fixes. Additionally, operating systems may no longer be supported by vendors after a time. Tools to monitor for applied patches are helpful. However, encourage impacted staff to enable these updates as quickly as possible to ensure that their devices are secure and functioning correctly.

Finally, remind staff that when accessing the network remotely to only do so with approved devices and through approved channels. A personal device may lack the firewall and other protective measures that a company device has, leaving it and any accessed network information vulnerable to hacks.

5. Protect Processes and Payments with Secure and Compliant Solutions

Healthcare payments are often targeted due to the highly-sensitive personal and financial data in the transactions. Process efficiency doesn’t have to come at the cost of security, though. To stay safe, ensure that your patient data and patient collection processes rely on highly secured and compliant tools. Seek payment solutions that manage each payment transaction without handoffs to other companies, lessening the chances of payment data being intercepted. Pick solutions that protect every payment channel from which your organization accepts payment, including point-of-sale and online.

6. Implement and Prioritize a Robust Staff Training Initiative

Every employee is responsible for protecting the organization from cyber threats, and appropriate training on security protocols and practices is essential to data protection. Conduct regular trainings and include training as part of new employee onboarding to keep your teams apprised of best practices and updates to security policies.

In 2020, for example, 70% of ransomware attacks used email phishing schemes as the threat vector. Such costly and damaging incidents can be prevented and mitigated with training that teaches staff how to navigate such social engineering attacks.

Conclusion

Information security should be a top priority for every health plan, healthcare provider, business associate or vendor. Hackers gain access through the weakest link, which constantly changes as organizations add, modify or sever links among technology systems. However, employees are often the weakest link, making regular training a critical success factor.

Noah Dermer is vice president of controls at InstaMed, a J.P. Morgan company, and manages the PCI, P2PE, and HITRUST certifications for InstaMed. Prior to joining InstaMed, Noah was Epic’s chief security and privacy officer and managed Epic’s security research and development team.