Fortifying healthcare: Viewing cybersecurity’s current state and best practices
As healthcare organizations face more cyberthreats, here’s a guide to strengthening digital defenses in the healthcare sector.
tw-Security
In the intricate world of healthcare, the digital age brings with it both advancements and vulnerabilities. Mitchell Josephson, CEO of Health Data Management, sat down with partners from tw-Security to understand the current state of cybersecurity threats, and best practices around risk analysis, insurance and readiness.
Through their perspectives, we unravel the complex interplay of technology, policy and human factors shaping this crucial field. The following are themes and recommendations from this top-rated, Best in KLAS cybersecurity firm.
The financial hurdles in healthcare cybersecurity, as discussed by Mark Dill, underscore the gravity of the situation. "Adequate funding for cybersecurity initiatives is a fundamental challenge," Dill stated, pointing out the critical need for strategic investments in this crucial area. This theme resonates throughout the healthcare sector, highlighting the gap between the necessity for robust cybersecurity measures and the reality of budgetary constraints.
Kerry McConnell brought attention to the technological advancements in healthcare. He remarked, "With the advent of digital health, the stakes for cybersecurity have never been higher." He underscores the dual-edged nature of technological progress – as a catalyst for improvement and a potential gateway for cyber threats.
The human factor in cybersecurity is another crucial point raised by Keith Fricke. He highlighted the generational differences in privacy perspectives, affecting the approach to cybersecurity training and awareness. "Younger generations view privacy through a different lens," Fricke observed, emphasizing the need for adaptive cybersecurity education tailored to these diverse perspectives.
Fricke further delved into the challenges of attracting skilled cybersecurity professionals in healthcare. "The healthcare sector faces a significant challenge in hiring and keeping cybersecurity talent," he stated, illustrating the growing demand for expertise in this critical field. This reflects a broader issue in the healthcare industry – the difficulty in bridging the gap between the increasing need for specialized skills and the available talent pool.
As the conversation shifted to the ongoing nature of cybersecurity readiness, Mitchell Josephson emphasized, "Security readiness cannot just be a once-a-year activity; it's a continuous process." This statement mirrors the ethos of high-reliability organizations, focusing on a safety-driven culture, learning from past mistakes, and endorsing transparency.
Here are some best practices shared from the tw-Security team.
Mark Dill emphasizes the comprehensive approach to risk analysis. He advocates for embracing the HIPAA principle, stating, "Your risk analysis should be comprised of multiple technical and non-technical inputs ... schedule a technical penetration test in a different quarter...complete a business impact analysis, do a disaster recovery test.” This multi-faceted approach ensures a thorough evaluation of the organization’s resiliency and preparedness.
Kerry McConnell focuses on prioritizing risks based on their impact and likelihood. He explains the importance of focusing on the most critical threats, saying, "You look at risk analysis 101; you look at the likelihood of something happening, and if it did happen, what is the impact of that. So, you want to go for those most-likely, highest-impact events.” This practice enables healthcare organizations to efficiently allocate resources where they are most needed.
Keith Fricke stresses the importance of personal investment in cybersecurity initiatives. He suggests ways to engage staff by helping them understand the personal relevance of these initiatives, as their own information is also being protected. This approach fosters a culture of security awareness and responsibility across the organization.
Tom Walsh recommends regular risk management planning as a critical best practice. He discusses the importance of these plans, stating, "If you schedule these events per quarter and come up with a risk management plan where you're accepting technical and non-technical inputs ... you're going from this one-time-a-year snapshot to a holistic real-time study of inputs." He emphasizes that an organization adopting this mindset has a better chance of maintaining a more secure and defensible security profile