Healthcare Cybersecurity Best Practices: Don’t Forget About the Physical Side of Digital Security

[checklist]

Like many other market sectors, the healthcare world was forced into cybersecurity adjustments and advancements by the COVID-19 pandemic. For example, it was suddenly not a good idea to use touchscreens and keypads to identify users and gain access. At a blinding speed in some cases, IT professionals have worked to deploy new solutions — some of which had been in process already or were being used in other industries and some were completely new.

 

With these technology advancements, it has become more important than ever to identify physical and digital/logical security weaknesses and be proactive about mitigating them to keep staff, patients and visitors (and their personal data) safe.

 

Evolving cybersecurity best practices are especially important in healthcare settings, because hospitals and other healthcare venues are technology-heavy, super-sensitive to privacy, and carry unique potential for harm when technology fails.

 

Jeff Broz, Prime Communications Inc. VP of Infrastructure Operations, pointed out that these concerns are particularly important in the growing world of the healthcare Internet of Things (HCIoT). “There is typically a well-established process for adding new devices to an enterprise network. The challenge is that the technology is changing so quickly, that keeping up is a daunting task for the IT security team.”

Healthcare cybersecurity: What could go wrong?

“When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

Jeff Broz, VP Infrastructure Operations, Prime Communications, Inc. Tweet

Some cybersecurity breaches are legendary in the healthcare world. For example, ransomware attacks and hacking through environmental controls. In a worst-case scenario, a nefarious actor can take down an entire network, locking users out or injecting viruses, causing gaps in patient monitoring and care.

Especially with some of the beefed-up collaboration technology being used through the pandemic to electronically replace in-person patient and family touchpoints, an increased number of potential breaches can deprive caregivers of access to vital information about their patients.

“It is pretty straightforward,” Broz said. “When critical systems are compromised, not only is the data within those systems at risk, but the care team is impacted by forcing alternate workflows to ensure the quality of care and patient safety are not impacted.”

This healthy fear of gaps in care have even led to an unhealthy avoidance of updating systems for some organizations. However, using legacy systems with only-partially-effective updates eventually results in more potential cybersecurity issues and — you guessed it — gaps in a hospital’s control over care. When word gets out about gaps in care, it can affect an institution’s ability to maintain its reputation and compete against institutions that allocate time and money to proper updates and upgrades.

Increased use of smart devices complicates cybersecurity, Broz pointed out, because they often do not include embedded security when they are acquired and implemented. This can lead to human error, from poor configuration to incomplete user protocols. It’s great to have devices such as smart pumps available to monitor distribution of pharmaceuticals, and many healthcare institutions have implemented them. However, do IT teams really understand the vulnerabilities that come along with such devices?

This matters in part because hackers are getting smarter. A number of breaches have occurred in recent years through laptops accessing environmental systems. IT and security staff now have a better understanding of how those breaches happened, but for a variety of reasons they don’t always take comprehensive steps to mitigate such possibilities in their own systems.

 

According to a Verizon data breach report, 59% of healthcare institution data breaches come from internal actors, whether intentional or unintentional. This often happens due to problems with un-segmented networks or missing security controls. In cases where damage is intentional, it can happen because credentials are too easy to steal, among other things.

Of course, if you oversee security or information technology in a healthcare institution, you have no doubt done your research and know all of this. If you are like many organizations, you have put cybersecurity protections in place and you are ready for the next attack. However, also like most healthcare institutions, you may have forgotten about or too-lightly addressed one particular area of cybersecurity: physical deployment and maintenance.

Broz puts in a nutshell just how critical physical security is to cybersecurity: “All of the sophisticated, deep cybersecurity protocols, software and processes you implement could be taken down in an instant if a bad actor gains access to a server closet through a door left ajar by third-party technician.”

Bones of an effective cybersecurity plan

Any institution’s cybersecurity plan includes a myriad of small security mitigations protecting the many parts of the system. However, without a well-thought-out, comprehensive structure to support full security coverage, all of those small solutions still could leave your organization vulnerable. Just as a building needs a framework to hold up the walls (the bones), a cybersecurity plan is the framework that holds up a system’s components.

An effective cybersecurity plan begins with assessment of every component in your system and every potential security breach scenario. Your assessment should include determination of physical ways bad actors could access systems (e.g., through unlocked doors), or where inadvertent actions could compromise the system (e.g., accidentally activating on/off switches). A comprehensive risk assessment should be created before any new components are purchased or programs are put in place.

The bones of your cybersecurity plan should follow emerging standards, including ever-changing best practices for encryption, data tracking, human error mitigation, awareness programs, and incentives for reporting phishing, for example. “Part of establishing digital security in a healthcare institution is knowing what the most current standards are and understanding how to follow them,” Broz advised. He said many institutions lean on third-party experts. However, if your team members are not already, they should get on the mailing lists of cybersecurity industry organizations, such as the Healthcare Information and Management Systems Society, Inc. (HIMSS), so they can receive timely updates and tips. Even with reminders from experts, Broz suggested many companies are forgetting about the physical side of digital security.

We’ve included a checklist of some of the most easily forgotten physical aspects of cybersecurity at the end of this article to help flesh out your cybersecurity plan. 

Overall, an effective cybersecurity plan must:

  • Include integrated digital and physical cybersecurity solutions pathways (“You can’t have one without the other,” Broz said.)
  • Take into account how your healthcare cybersecurity initiatives will affect profitability and other aspects of your institution, including efficiency, staffing and budgets
  • Identify unsupported legacy systems and realistically determine when the potential for ongoing vulnerabilities outweighs the costs of upgrading
  • Account for third-party devices that will be connected to your network by patients, families, employees and contractors — some exposure through third-party devices is intentional and some may be unintentional
  • Incorporate partnerships with trusted third-party service and equipment providers who know the specific business of healthcare cybersecurity
  • Prioritize to ensure that the most important, or most foundational, aspects of cybersecurity are managed first
  • Include an incident response plan, so your team knows exactly what to do when a breach happens
  • Outline built-in protocols for continual testing and updating your healthcare cybersecurity systems without any gaps in care
  • Integrate input, needs and concerns from other teams in the organization and align with high-level organizational goals and processes
  • Include detailed steps for continual training, information sharing across departments, and plan updating

Healthcare venues present unique, and oftentimes critical, potential cybersecurity issues. Most hospitals and other healthcare institutions hire experienced, educated inhouse information technology and security professionals who know how to create and carry out a plan. The key is to make sure your professional staff is given the time and resources for proper planning, implementation and management of cybersecurity — including ensuring comprehensive coverage, with no gaps, by addressing the physical side of digital security.

Physical Cybersecurity Plan Checklist

For more information about or assistance with both the digital and physical sides of your cybersecurity plan, contact Prime Communications Inc., 402-289-4126 or sales@primecominc.com.


Pivoting to Security-as-a-Service: A Proactive Response to the Impact on the Economy

The U.S. economy remains unsettled during COVID-19. While many businesses have reopened, a majority continue to operate in limited capacity, either due to reduced occupancy numbers, or because customers are not comfortable to fully return to their pre-COVID consumer habits.

The accompanying decline in revenues means many businesses may be proceeding with caution on spending. They may have shifted to a more conservative cash preservation mode in hopes that they will survive until a new normal is established.

While splash shields and social distancing floor markers are a start, when it comes to technology, companies now have to incorporate new communication tools. A major one being video conferencing, to support remote employees so they can continue to collaborate with colleagues and customers. Then there are additional security solutions being installed in businesses as employees come back to work like touchless entries and thermal imaging solutions to pre-screen employees and customers for elevated temperatures, one of the most common symptoms of COVID-19.

Whether the pandemic is modifying social and commercial interactions, and whether or not the economy is good or bad, the reality is a variety of technology solutions will always be critical tools organizations use to help them achieve success. That is why during these difficult times, it’s important to adapt to new ways to help clients preserve capital like monthly payment procurement options.

Prime Communications has adopted a model that gives users the flexibility to take on new technologies at a low cost and the ability to control their technology roadmap.

Prime pays particular attention to the how-to pay aspect of customers’ security solution design efforts. Buying equipment outright restricts cash flow and burdens the organization with hardware ownership until it’s depreciated enough to justify replacement. “Security as a service leads to much better use of capital,” said Jamie Baumgardner COO of Prime Communications. “Switching to this model with a trusted service provider allows you to invest capital into revenue-producing projects instead of wasting it on depreciating security equipment.”

Security-As-A-Service program alleviates the following concerns

1. Cash Preservation

COVID has forced organizations into a capital preservation mode. In fact, in a recent survey with top national retail chains, 89 percent stated that their 2020 and 2021 budgets have been greatly impacted. Most CAPEX budget plans for technology equipment essentially dried up overnight. Now, more organizations are noticing that under an OPEX model they have better control over their cash flow. With an as-a-service OPEX subscription solution, customers pay a low, convenient and predictable monthly payment that includes the total security solution, and support services.

 

2. Uncertainty in The Solutions Needed

The Security-As-A-Service model addresses the uncertainty within technology strategies. Most organizations have had to completely adapt their technology needs due to the unexpected changes this year. And many organizations are still uncertain about what they may need going forward. This flexible option allows them to adapt freely.

 

A Payment Model that Provides You with More Security, Less Worry

In a world where security risks change by the day, paying large sums of money just to own equipment that will be soon outdated can represent a huge risk. Security-as-a-service saves money, provides flexibility and keeps your defenses tight using a payment structure that has proven itself. For these reasons, this is the future of security.

To learn more about Prime Communication’s Security-as-a-Service program, contact us today. Let’s discuss your specific security technology needs.

 


A New Year and New Uses for Old Tech

2020 presented many new challenges to the infrastructure of just about every industry. From healthcare to retail, security and beyond, companies in every field had to find new solutions to their problems. But necessity is the mother of invention, and, thanks to creative minds working under pressure this year, we can move into the new year armed with new applications for old technologies.

Here are some old technologies you can put to new uses in 2021:


Empathy: A Secret Weapon for Security Challenges

Prime Communications continually tests, recommends and implements security hardware, software and processes across many different industries and venues. But security is much more than that. Over the years, we’ve learned one security element is more important than all the others combined. You can’t buy it, package it or wire it. We are talking about empathy.


Keeping People Safe: The Critical Role of DAS in Emergency Communication

In the last decade, a series of disasters – from the terrorist attacks of 9/11 to school shootings – has put a spotlight on the need to upgrade communications technology for the sake of public safety. Emergency medical personnel must be able to reach one another in the heat of a crisis. Victims must have a way to let loved ones know they are okay. Phones and radios can even help responders find those who have been hurt.

Prime Communications, Inc. helps assess and install new public safety Distributed Antenna Systems (DAS) as well as cellular service amplifiers. We also work with clients to evaluate existing systems and determine whether they can be upgraded or replaced.

“Existing systems may not need to be updated to ensure an occupancy certificate, and it’s tempting to just let it go because it’s hardly ever used,” said Ron McNichols of Prime. “But most organizations want to make sure everyone’s safe in an emergency.”

This article will help you understand some of the issues you may find your organization facing and solutions you might apply to improve both public safety DAS and cellular service in your own building.

1 2 3 5