In Episode 02 of the Healing the Hospital Podcast titled "Healing through Preparedness," JoAnn Ioannou joined the show. JoAnn is currently the Senior Adviser to the President for Strategic Initiatives at Johns Hopkins Health and is formerly the Chief Nursing Officer at Greater Baltimore Medical Center.
JoAnn touched on a number of topics, including facing the reality of a crippling ransomware attack in the middle of the pandemic. JoAnn talked about the wide-reaching impacts, how her team responded, and how leadership had to roll their sleeves up and get to work. She also gave tips for healthcare leaders on how to better prepare for a malware attack.
To add more insight to this conversation, Healing the Hospital welcomed Kermit's Vice President of Technology Mike Jackman to give his advice on how to strengthen cybersecurity for both providers and suppliers.
The 3P's of Cybersecurity: People
When it comes to cybersecurity, it all starts with your people. Whether you are a hospital, health system, or healthcare technology provider, enabling your employees to identify and prevent cyber threats is essential. After all, your people are the overwhelming targets of these types of attacks.
How do you get your team to be your front line of defense?
As Jackman explained on the podcast, organizations must educate their employees about the facts of cyber threats. What are these bad actors? Who are they? How do they operate? How are they trying to get to you? What are these threats? How can they get in? How can they interact?
In addition to education, Jackman explains that positive reinforcement is just as important. When you give your employees the tools to identify and report suspicious activity, you must not penalize them for any false reports. You must create a culture that echoes that all employees have a responsibility in protecting the organization.
Cybersecurity fact: According to the FBI, more than 97% of ransomware attacks come from breaches caused by the result of a phishing attack.
The 3P's of Cybersecurity: Protection
When it comes to the second of the 3P's, protection, Jackman recommends starting by honing in on things that help regulate identity access and enacting a Zero Trust Policy. Zero Trust is exactly what it sounds like: when it comes to accessing your organization's network, no one -- including internal users -- is granted access without having specific permissions and going through a specific process.
In addition to Zero Trust, data encryption is essential, especially when it comes to healthcare. Overall, there is truly no reason why any organization's data shouldn't be encrypted.
And, tying Zero Trust and data encryption together comes users and user provisioning. Once these users are validated and granted access to the network and associated digital tools, what do they see? Not every employee needs to see every piece of data stored within your platform, and this access should be role-based. For example, a pediatric nurse does not need to see an orthopedic patient's billing information.
While certainly not an all-extensive catch-all, by enacting a Zero Trust Policy, encrypting your data, and establishing role-based access rules, you are taking positive steps towards protecting your data and infrastructure.
Other protections to enact:
- Keep systems, both your core systems and client-side systems, up to date with the latest security patches
- Enable multi-factor authentication
- Separate your IT resources around core practices (for example: back-office vs. operations vs. external transactions)
- Ensure PHI and PII logging is enabled anywhere possible: always know what is happening with your data
Cybersecurity fact: A Zero Trust Policy can be challenging in modern times and the Internet of Things with employees accessing the network from a multitude of devices from any number of working locations. Some organizations even have vending machines that access their network and require employees to enter credentials to get a soda or a candy bar!
The 3P's of Cybersecurity: Process
Once you have your people educated and doing their part to protect themselves and the organization, and you have the protections in place that enforce a safe environment, you now must have internal processes cemented that keep everything on track.
And when it comes to these processes, Jackman says it all starts with one commandment: Be Humble.
Cybersecurity is as complex as the attacks are sophisticated. If your organization does not have the subject matter expertise to ensure a safe cyber environment, that is ok. However, you must admit it first.
If you are confident that you have an adequate level of subject matter expertise on your team to handle your cybersecurity initiatives, that is great. But if you recognize that you are lacking, there are a number of tools and third-party companies who are the experts and can step in to be those SMEs that you need.
Jackman also reminds us all that culture is a big part of the process. Build a culture that assumes that the bad event has already happened so that your team is already on their guard and putting systems in place to manage that likelihood.
And tied to that, do not listen to the advice of Allen Iverson and practice! Practice not only the planning of your disaster recovery plan or your business continuity plan, but also practice real-life scenarios. Do the penetration tests, do social engineering experiments, leverage good actors to act as bad actors, and strengthen your team and organization.
Cybersecurity fact: It isn't a matter of "if" you'll be a victim of a cyberattack, but a matter of WHEN.