How to Protect Your Organization from a Cyberattack

Introduction

According to the US Department of Health and Human Services, cyberattacks have increased on health systems by 9,851% since 2019.  This makes it imperative you learn how to protect your organization from a cyber-attack.  In fact, in 2020, there were 239.4 million cyber-attacks on healthcare endpoints costing healthcare organizations, on average, over $4 million per incident.  In 2021, this figure has risen to an average of over $9 million per incident

While staggering, these numbers are sure to increase, making vigilance and preparation critical to ensure your organization is properly prepared and protected.  But why are healthcare organizations the target of ransomware or cyber-attacks in the first place?   A primary reason is the vast amount of sensitive and valuable data (like personal health records, financial information, and insurance details) they possess. This data is highly sought after on the black market making it useful for identity theft, insurance fraud, or sold for profit.

Another reason health systems are targeted is due to the disruptions in patient care a cyber-attack can cause.  Health systems are more likely to pay ransom payments to quickly get their systems back on-line, limiting disruptions and to protect their established trust within their community.

Realizing why hospitals are targets of cyber-attacks is one thing but understanding steps to take to keep your data and staff safe is equally as important.  In this month’s blog, we’ll share a few ways you can help protect your organization from ransomware and cyber-attacks along with some thoughts from InsiteOne to keep your data safe and secure.

Action #1: Awareness and Training

One of the best lines of defense an organization can do to keep data safe is through continuous training to all staff on the methods cybercriminals use to find organizational vulnerabilities.  Phishing attempts are the most common and successful methods to catch employees off guard.  Oftentimes, unwary staff may feel pressured to offer information that provides cybercriminals an easy pathway to penetrate your organization.  Phishing, social engineering, spear-phishing, malware, and insider attacks are just a few of the methods used to compromise healthcare IT systems today.

InsiteOne Tip

Many organizations provide cyber security training to keep employees informed and educated on the type of attempts they may face every day.  Organizations like Knowbe4 offer training courses, information, and on-going updates that are entertaining, yet very insightful.  Your healthcare teams are always your number one defense in defending against a cyber-attack, and frequent training is the key to help keep your organization safe.  The more your employees know, the better protected your organization will be when it comes to cyber security threats.

Action #2: Encourage strong passwords and best practices when in possession of sensitive information

Using “password” as your password is a bad idea.  Writing down your passwords and taping them to your computer is even worse.  Strong passwords are a strong line of defense against cybercrime. Techniques like creating passwords from your favorite songs or using the first letter of a favorite phrase (intermixed with numbers and other characters) makes password creation easy to remember and difficult to hack.  For example, the song “Don’t Stop Believing” by Journey could become a password like “D0nt_Stp#B3li3ving!”.

Encourage employees to memorize passwords or better yet, use a password manager to maintain them so they stay safe and secure and only have one password to remember.  Writing passwords down and keeping them by your computer opens the door to unwanted opportunity for compromising your IT systems.

Protecting sensitive information is equally as important. Never leave sensitive information out in the open if you must leave your workspace.  Lock up sensitive information in a secure location and log off your computer.  It’s a good idea to always keep your workspace organized and free of sensitive data.  Finally, never insert unknown USB drives into your computer. They may contain harmful malware ready to attack your organization’s network.

InsiteOne Tip

Creating complex but easy to remember passwords and securing sensitive information seems common knowledge, yet oftentimes, people get in a hurry and may inadvertently make a mistake. Under time pressure, a user may create a simple password and write it down with the intention to change it later.  An impromptu meeting could pull them away in a rush potentially compromising their workspace. Leaving sensitive data in a folder by your computer makes it easy for prying eyes to find just what they need to inflict harm. Continuous diligence is very important in the fight against cybercrime.

On-going cyber security training for your staff prepares them for handling cyber-attacks.  Your employees are your first line of defense and arming them with knowledge helps better protect themselves and your organization from cybercrime.

Action #3: Data Encryption

Encrypt your data at rest and in transit.  Ensure your IT systems provide the ability to encrypt data while being stored and at rest. Data encryption while in transit further ensures you will be less likely to have data stolen and misused during a cyber-attack.   Encrypted data, without a de-encryption key, is useless to a cybercriminal.  It’s equally important to make sure data is transmitted securely and only the intended recipient has the necessary de-encryption key.  Any interception of the encrypted data while in transit provides no value to the criminal.

InsiteOne Tip

InsiteOne’s archives provide data encryption while at rest and in transit, ensuring your data is safe and secure all the time.  Any interception will be useless to cybercriminals and by using some of today’s best security methodologies, your data is always protected in our archives and managed under our watchful eye.

Action #4: Network Segmentation and Security Patches

Segmenting your network limits the spread of a potential breach should one occur. Isolating critical systems and data from less secure parts of your network ensures your data remains safe in the event of an attack. Additional access controls on your segmented networks keep only the people authorized to access the data in and everyone else out.

Keeping your software and IoT devices updated with the latest security patches helps to decrease their vulnerability during a cyber-attack.  Cybercriminals know where to look once they have access to your network and oftentimes, vulnerabilities in systems not frequently used or older IoT devices on your network could be the key they need to cripple your organization. Once your data is locked by a cybercriminal, they may demand you pay a ransom to unlock your network and systems.  Regular updates to your antivirus and anti-malware programs also ensure you are better protected against the latest known threats.

InsiteOne Tip

Network segmentation is a common practice used to keep outside traffic away from sensitive IT systems and data.  With greater access controls in place, in the event of a breech, your sensitive data can oftentimes be kept safe and not compromised.  InsiteOne understands how to segment medical imaging data so that in the event of a cyber-attack, your patient imaging data will be extremely difficult to access. Locking down common ports and using advanced security measures are just a few of the ways we help ensure a data breach will not impact your imaging data.

Action #5: Perform Regular Risk Assessments and Security Audits

Conducting frequent security audits and risk assessments is critical to success. Identifying vulnerabilities and weaknesses in your networks and systems helps prepare you for how to defend against a cyber-attack.  Understanding the vulnerabilities and addressing the issues promptly helps you to mitigate potential risks to your organization. 

Another important part of security assessment is creating a detailed incident response plan. Your plan should outline the steps staff needs to take in the event of a cyber-attack. Having a good incident response plan can limit the damage of a breach, since your team can respond quickly to avert further damage. Your plan should include procedures for reporting incidents, isolating affected systems, and communication protocols for all staff and relevant stakeholders.

InsiteOne Tip

Companies like Cloudwave can help prepare your organization for a cyber-attack. They also offer services like risk assessment and security audits.  Random, professionally organized cyber-attack drills prepare your staff how to react should a cyber-attack occur. With that knowledge, plus real-time practice could make a huge difference in the outcome of an actual cyber-attack in the future.  Understanding how your processes are followed during a staged event provides a real-time method with guidance on ways to improve your processes and communication protocols when a real cyber-attack occurs. 

Conclusion

Cybercrime is on the rise and healthcare organizations continue to be vulnerable. Aging technology, IoT devices that cannot be patched, and limited spending on cybercrime prevention provide easy access for cybercriminals to breach your network and gain access to sensitive data.  This blog only scratched the surface while providing a few tips on preparing for cybercrime in your organization. Hopefully, it will encourage you to work with your vendors and companies like InsiteOne to establish a safe environment for your data.  Limiting your exposure when a cyber-attack occurs is just as important as preventing it in the first place.  InsiteOne has a long history of keeping clinical data safe and the methods we use to protect your data keep cybercriminals out. 

If you want to learn more about the benefits of InsiteOne’s archiving and security solutions, be sure to reach out to us today to start a conversation about modernizing your infrastructure and ensuring your patient imaging data remains safe and secure.