As many of us have suspected, CyberSecurity has gained the attention of the CMS and is now driving the creation of CyberSecurity programs (not the software type) in the healthcare industry. As we mentioned in Part 1 of this series on risk management, the CMS has recommended the inclusion of CyberSecurity in the All-Hazards approach to Emergency Preparedness Plans that are required in November of this year. There has been a great amount of FUD (Fear, Uncertainty, and Doubt) and fancy buzzwords strewn about in order to create a service market and drive product sales, leaving organizations like yours feeling overwhelmed by unfamiliar terms, acronyms, and technologies that seem way too complicated and too expensive to be practical for your organization. Machine Learning, Artificial Intelligence, Predictive Analytics, Behavioral Analysis, IOT, CISO? We know what you’re thinking . . . What are these things, how much do I have to spend, and will my nursing facility’s data ever be safe?
Fortunately, establishing an effective CyberSecurity program is not quite as daunting as it appears. The term “program” is necessary because it must be managed as any other organizational risk is managed, thoughtfully and effectively. By ingraining cyber awareness into the regular operations of your LTPAC organization, using some elbow grease, and adding a few software solutions, you may not become impenetrable, but you can organize an effective defense and substantially lower your risk profile and attack surface.
Building a program…Why a firewall and antivirus are not enough
The first thing to understand is that the primary vector of attack will almost always be people, i.e. your staff. At some point, some malicious technical wizardry will occur, but your employees are the weakest link. The wrong email opened, a malicious website visited unintentionally, or an infected USB stick brought in, can be the top ways that bad actors will compromise your organization. We also need to address the potential insider threat that a disgruntled staff member may pose and their potential for malicious activities. They should receive awareness training to embed good cybersecurity hygiene into their daily processes.
Now that we’ve begun to address our weakest point of defense, let’s focus on targets. Bad actors most likely want your data, either for misuse or to hold your organization hostage. You can protect your data by limiting and auditing who has what kind of access and applying encryption. Those three actions can be done with staff effort, although there are software products available that have advanced functionality and make the process easier. It is essential to perform a data classification exercise and have a thorough understanding of what you have and who has access. Wherever possible, you want to be able to limit access to the essential minimum a person (or service) needs to function properly. This is the Principle of Least Privilege.
Tying it together
The traditional CyberSecurity model of trying to build a hardened wall around the soft center of our organization is no longer a valid approach. It is shifting to a “detect and contain” approach by raising the level of awareness of what occurs in an organization. Now that we know the most likely venue of attack, and the most likely target, we can begin to put specific defenses in place.
Aside from raising awareness by training our staff, there are several other steps to undertake in helping to strengthen our weakest link. For the purposes of this discussion, I am treating IOT devices (Internet of Things) as individuals, as the methods used to protect them are similar to our treatment of people. There are a number of basic steps and processes that should be undertaken and have been addressed ad nauseam (patching, password strength, configuration hardening, two-factor, etc.) I recommend reviewing The Center for Internet Security and HHS HIPAA Guidance recommendation guides.
The final piece of the puzzle is that of anomaly detection and behavioral analysis. In essence, everything in your environment has a profile composed of its properties and the actions it performs. A RN logs into the same workstation, alters the same or similar data during a regular time window, and logs out. Similar profiles exist for your technical devices that transmit data in observable and recognizable patterns. You should be able to recognize and know as soon as possible when there is a deviation from these profiles. CryptoLocker (used to encrypt your files and demand a ransom for decrypting,) its variants, and future attacks can be stopped in their tracks using this method, as we have shortened the kill chain. There are very expensive tools in this space that utilize artificial intelligence and machine learning to create and monitor these profiles, however much of their capability is built upon the innate capabilities of existing systems, which, when leveraged properly can mimic the functionality of substantially more expensive platforms. Often times, current spend on ineffective security products (Antivirus) can be redeployed for a more modern solution creating a net neutral spending environment while lowering your risk profile.
At CMSCG, we leverage best practices and information technology expertise to assist our clients with implementing solutions that leave their PPI, medical records, and other information critical to daily facility/agency operations as safe as possible from bad actors and cyberattacks. The healthcare industry is vulnerable to these types of attacks, particularly as more nursing homes, assisted living facilities, and home health agencies are making the switch from paper to electronic data every day. Protecting your organization’s data doesn’t have to be challenging if you have the right guidance. Contact CMS Compliance Group today for information on our Information Technology Consulting services.