HIT Think

Five key steps can block potential avenues for cyberattacks

Register now

With efforts to breach healthcare organizations for data on the rise, for those with the daunting responsibility of overseeing data security, it is crucial to understand vulnerability management and its role in the overall process for foiling the impacts of data breaches.

Vulnerability management is the practice of researching, identifying and understanding the vulnerabilities of an organization and its systems, and then developing a plan for mitigating and protecting them, followed by consistent evaluation of that plan. It’s an ever-evolving process that’s hastened by the pressure of increasingly sophisticated breach attempts.

Healthcare organizations have a unique responsibility to take vulnerability management seriously. A breach that accesses sensitive data in medical records can mean life-threatening danger to patients. That’s particularly true because of medical devices that typically are connected through networks, which use a patient’s information to refine and customize healthcare.

Because of this abundance of patient information gathered by providers, there’s an increased obligation to protect it from increasingly aggressive hackers. That’s where vulnerability management comes in. Here are five salient strategies that providers need to pursue to discover gaps and prevent breaches.

Patch, patch, patch. Equifax learned a hard lesson this year, and more than 145 million people were punished for it. The company failed to deploy a patch to a vulnerable version of software and then paid the consequences. The lesson is a reminder to all IT and data security teams to take a diligent approach to applying patches early and often. They cannot be ignored and must be properly communicated to all necessary parties to ensure the correct steps are taken to apply patches where needed; and providers are responsible to conduct thorough scans for any other potential vulnerabilities.

Control access. Maintaining control of who has access to data is arguably one of the most important components of vulnerability management. Access to sensitive data should only be provided to those who absolutely need it, and their involvement should also be monitored. Giving anyone access to data can be a risk for criminal access, so it’s important to understand who is handling what and why.

Beware the phish. It was a spear phishing campaign that resulted in Anthem’s 2015 data breach that left more than 70 million records exposed. Because phishing emails so closely resemble the real thing, it’s hard to spot them. Like in the case of Anthem, one click on a bad link can ignite the spread of malware, which can immediately put a system’s vulnerabilities under attack. In addition to working with threat intelligence agencies to implement security solutions, training teams throughout an organization on the strategies for catching and deflecting a phish can help to prevent a breach and its potentially irreversible impacts.

Limit accessible data. Don’t bother keeping data that’s no longer useful to an organization—keep it slimmed down by scheduling periodic data dumps that will help keep systems clean and easy to manage, and reduce the size of the target for criminal hackers. For the data this is needed, but not on a day-to-day basis, archive it. Then, make sure networks are isolated and protected by an additional layer of firewalls.

Monitor traffic constantly. Vulnerabilities of the “Internet of Things” are on the rise, especially when it comes to medical devices. Daily monitoring of data, networks and devices is absolutely crucial. When patching is sometimes not feasible for certain medical devices, monitoring can help to fill those gaps, add a layer of protection to vulnerabilities and potentially reduce the impact of a breach. An organization will fare much better if they can detect malware after just one day, compared with allowing malware to linger on a system for months or longer.

For healthcare organizations, when it comes to managing the vulnerabilities of a network or system, it’s those that would experience a breach impact at its ugliest, such as an organization’s patients, that should be the driving force behind every effort put behind breach impact prevention. There’s far too much at stake to leave any piece of a system open to vulnerabilities, because if they’re available, they will be attacked.

For reprint and licensing requests for this article, click here.