A HIMSS expert says everyone needs to increase their cybersecurity literacy.
Lee Kim, JD, is encouraged by healthcare’s recent cybersecurity approach. In a survey conducted by Healthcare Information and Management Systems Society (HIMSS), 85% of healthcare information security professionals said their institutions performed risk assessments at least once a year. That’s a big improvement from the “sporadic” exams of the past, Kim, who heads privacy and security for HIMSS, said.
Still, healthcare must do a great deal to fortify its barriers against hackers. Kim said bad actors have an “asymmetric advantage” over healthcare information security professionals because the criminals are more skilled.
“We just really need to get better all across the board in terms of knowhow, awareness, and defenses,” she told Healthcare Analytics News™. “Frequently, the defenses that we have are really fragile.”
Kim has a few recommendations for healthcare institutions looking to improve. Some are overarching, while others are specific to providers of different sizes.
“Thinking about the larger hospitals and entities, they need to make sure their staff are going through the latest and greatest training for cybersecurity and keeping their knowledge up,” she said. She also recommends investing in personnel, starting with a chief information security officer (CISO), and making sure they are not overworked.
Not every healthcare provider can afford a large, specialized IT staff. Kim recommended those groups seek out free tools, including vulnerability scanners and software to monitor computer systems. They are capable of finding soft spots are and providing advice.
“Leverage all the free and open-source resources that you can get because you might not have the opportunity to spend tens of thousands of dollars on firewalls and other options,” she said.
Education is key. “You really should train your staff on good cybersecurity ‘hygiene’ principles, like not clicking that phishing email or going to that bad website,” she said. “People need more training. It can’t just be once a year; things older than a few weeks or a month people tend to forget.” Assigning a primary point-person to be the main “sponge” of new cybersecurity threat and defense information could help providers of all sizes.
Hospitals must then use simulation to test their employees and software. “A skilled penetration tester that’s familiar with healthcare will know how to adequately and comprehensively test an organization’s computers, technical controls, even staff in their response to potential threats,” she said.
But the biggest barrier that Kim has seen between healthcare organizations and sound cybersecurity practices is less technical: culture. Even with a security program worthy of Fort Knox, staff members and executives requesting exemptions can dramatically weaken a well-intentioned hospital, she said.