Cybersecurity: What your organization can do before becoming a victim
As a healthcare IT company, one of the most important and most discussed topics across Allscripts is cybersecurity. It’s a constant threat we take seriously for our clients, and more importantly, for their patients. Since 2019, ransomware attacks have increased by at least 485% as hackers took advantage of the global pandemic in 2020 and into 2021. And although these attacks take place in a virtual world, the damage is very real. Over recent years, multi-million-dollar ransomware demands have become more and more common.
The best time to consider cybersecurity is before an attack happens, and that discussion should be two-fold. First, what can your organization do to reduce its risk of an attack? Second, in the event of an attack, what is your organization’s response plan?
Let’s look at the first part. What can you do to reduce your risk? While hacking and cyberattack techniques are constantly evolving, here are a few technical controls (in no particular order) that we’ve seen help reduce the risk of an attack.
Multi-factor authentication – Currently, most attackers aren’t actually hacking into a system. More often than not, they’re simply logging in with stolen credentials, say, from a front-office worker or off-duty clinician. Multi-factor authentication requires at least two pieces of evidence before granting access to a system. Adding extra layers makes it harder for attackers to gather all the information needed to gain access to your system. Using this authentication process also does not significantly affect the credentialed user’s overall workflow, so the information remains safe without causing too much of a slowdown in or disruption to necessary work.
Endpoint detection and response (EDR) – Traditional antivirus software relies on scanning for known virus signatures. A hacker using a novel form of attack or exploiting a previously unknown vulnerability (known as a zero day), or using malware that can change its signature (known as polymorphic malware) can easily bypass traditional antivirus software. EDR tools instead monitor the behavior of users and processes in the environment and can alert and quarantine behavior that appears malicious, such as a previously unknown variant of ransomware attempting to encrypt files.
Secure, segmented, offline backups – Keeping secure, complete backups can help ease the recovery process and get your business back online faster. It may seem obvious, but this is an easy way to ensure the information you were working with before the attack remains intact.
It’s important to understand that while technical controls such as these can reduce your risk of an attack, nothing can completely eliminate it. Which brings me to the second part, what is your organization’s response plan? I can’t stress enough the importance of having a plan in place before an attack occurs. Never get to a point where you think a cyberattack won’t—or can’t—happen to you. Any organization can be the target of a cyberattack, from the smallest provider practice to the largest health system. But having a strategy for sustaining these attacks can help ensure they don’t completely debilitate your organization or compromise sensitive patient data.
I highly recommend all organizations run table-top exercises with senior leadership, including IT and clinical leaders. It’s critical for everyone to come together and be an active part of this conversation and understand their roles. Ask yourselves, What would we do if we suffered a cyberattack today? Consider what your first steps would be. What is each person in the room responsible for? What is your communication plan? What is your plan for maintaining patient safety? What outside organizations need to be contacted? As part of this planning, your organization should establish relationships with a cyber forensics firm and a cyber insurance/cyber legal counsel if you have not already done so. These organizations will be key during and after the attack. The last thing your organization should be doing when responding to an incident is negotiation pricing. Due to the evolving nature of cybersecurity, I recommend running a table-top exercise every year.
Again, the best time to consider these concepts is before you become a victim. Unfortunately, the reality is that becoming a victim of a cyberattack is always going to be a possibility, which is true for all industries, not just healthcare. Though with healthcare, people’s health and well-being can be threatened. And while the cyberattackers might never quit, you can be prepared to hold your ground and keep your patients’ information safe.
In the next post of this series, I’ll discuss my recommendations for what your organization should do during an attack, including the top four questions every cyberattack victim needs to answer.