Slideshow 7 Cyber defense tips for smaller healthcare organizations

  • March 15 2016, 2:02am EDT
8 Images Total

7 Cyber defense tips for smaller healthcare organizations

Too many small hospitals and small or mid-sized physician practices believe defending against cyber attacks is pointless and they’re just hoping to be saved by being obscure. That’s a risky approach, because hackers are not just looking for big targets; rather, they’re setting their sights on easy targets.

Banking on obscurity “is something that’s not going to happen,” says Chase Cunningham, director of cyber threat research and innovation at Armor Defense, which sells a healthcare secure cloud platform. Cunningham offers 7 tips to not be such an easy target.

Physician Inattentiveness

Small physician practices are at risk for reasons beyond obscurity, Cunningham says. Physicians have other things to worry about, particularly treating patients, and while they likely are aware of HIPAA, many aren’t aware of the severity of current cyber threats.

Content Continues Below

Free Tools

For smaller healthcare organization that fear a cyber attack but can’t afford to defend against it, there are free open source tools, such as Alien Vault, which monitors networks, as well as basic encryption tools that don’t take a lot of time and expertise to implement.

Separate Networks

Having a guest wireless network that is separate from the corporate network, and using two-factor authentication to access information systems, also offers additional protection, Cunningham advises. Two cyber security guides from the National Institute of Standards and Technology—800-53 and 800-71—also can help an organization make improvements in security practices, and they’re aimed at smaller organizations. Those organizations that are using open source security tools and complying with NIST guidelines to the best of their ability will be “light-years ahead” in being better protected, according to Cunningham.


Outsourcing the hosting of information systems to a cloud vendor or contracting with a local security firm may be a cost-effective alternative, but there are some core questions to ask, particularly the type of talent on staff, Cunningham says. Companies employing staff with military intelligence experience is optimal. Ask if the company offers a suite of services or only certain parts, such as security threat management, vulnerability testing, encryption, asset identification and migration practices.

Content Continues Below

Do Homework

IT executives or physicians should do some research on the Internet to learn about best-of-breed technologies and assess if an outsourcing company has a best-of-breed suite or a product cobbled together with inferior tools.

Employee Training

A small organization also should ask about the frequency of employee training, which should be almost constant, and what the turnover rate is. If employees believe the company is making a difference, they will stay; otherwise, they are out the door in 90 days, Cunningham notes. Searches on LinkedIn can help you find out how long employees have been at the company, or if they have left, how long they were there.

Beware of Boasts

Above all, small organizations should watch out for companies without a lot of human talent and bombastic claims, Cunningham warns. “If they tell you they can do everything with technology, they’re lying.”