By Gregory Garrett and Greg Schu
The global healthcare industry is different from many other industries and faces some unique challenges, because it directly affects human life. This gives the security of the healthcare industry special importance, knowing that a person entrusts his or her personal details, private life, sometimes their financial information, and ultimately their well-being with the companies in the sector.
The healthcare industry has seen a sharp rise in cyber-attacks over the last three years, especially those using ransomware, business email compromise and distributed denial of service. The insurer Beazley found that healthcare led all other industries in the number of cyber-attacks and data breaches during 2018, with more than double the second-highest industry.
Organizations face an uphill battle in protecting against an increasingly sophisticated array of threats from cyber-criminals, hacking groups, nation-state cyber-attack groups, and even their own staffs.
Realizing that 40% or more of cyber vulnerabilities are directly linked to employee behavior, according to the Gartner Group, it is vital that organizations focus more on their employees via cybersecurity awareness, education, training and use of simulations to create a stronger human firewall to protect their vital digital assets.
In BDO’s latest Cyber Threats Insight Report, we explore what these threats mean for the healthcare sector and other industries. Specifically, the report provides an analysis of major industry cyber-attacks and how they happen; offers ways to protect the healthcare industry; and describes best practices to improve cybersecurity.
To reduce both the probability of a cyber-attacks or a significant data breach and mitigate the negative financial and reputational effects, we offer the following cybersecurity recommendations that are applicable to all industries:
- Create an organizational culture of cybersecurity. Ensure the C-Suite on down consistently promotes and supports all employees practicing effective cybersecurity policies, processes, and procedures via a comprehensive cybersecurity awareness, education, and training program including spear-phishing campaigns and cyber data breach table-top exercises.
- Hire a highly qualified chief information security officer. Provide the CISO with adequate resources and funding to take the necessary strategic and tactical actions to develop and implement a comprehensive cybersecurity risk management program.
- Implement advanced cyber diagnostic assessments, on a regular basis, including: Email cyber-attack assessments; network and endpoint cyber-attack assessments; vulnerability scanning assessments; penetration testing; security software assessments; and spear-phishing campaigns.
- Encrypt all data.
- Verify all identities and credentials. Require the use of multi-factor authentication, including biometrics (fingerprint, voice, or facial recognition).
- Secure information systems. Implement “Zero Trust Architecture” designed to compartmentalize data and restrict data access, thus reducing the potential damages from unauthorized access to sensitive information.
- Establish a Rapid Cyber-Attack Incident Response Plan. Develop and periodically test an enterprise-wide well-coordinated information system incident response plan to quickly identify, contain, eradicate, and recover from cyber-attacks.
- Conduct 24 x 7 x 365 Monitoring, Detection and Response. It is essential to continually monitor, detect, and respond to all cyber incidents including: email system, network, software applications, and all information system endpoints using advanced security information event management software, data visualization tools, automation and artificial intelligence capabilities.
- Protect the information system by ensuring a timely and effective software patch management program.
- Ensure information system resilience. Implement and periodically test an enterprise-wide business continuity plan and disaster recovery plan including an off-line and fully redundant backup system.
Garrett is head of U.S. and International Cybersecurity Advisory Services for BDO USA LLP; Schu is a partner in advisory services for BDO.
BDO is a corporate member of the Wisconsin Technology Council. Learn more at https://www.bdo.com/industries/healthcare/overview.