By Patrick Ross, Associate Director of Federal Relations and Mike DeGraff, Director of Enterprise Information Security
Health care data is 10 times more valuable to hackers than credit card data. Today’s always-online health care industry represents a prime target for criminals.
This climate requires an all-hands-on-deck approach to cybersecurity. The responsibility is too big to belong only to the IT department. The Joint Commission released a new advisory Quick Safety Issue 62: Organization-wide Cybersecurity: Creating a Culture of Defense, providing safety recommendations to repel a cybersecurity event. Building a “human firewall” or “culture of security” requires:
- mutual awareness of cybersecurity threats
- evaluation of possible cybersecurity threats
- incorporation of preventive strategies at all levels of the organization
As with any new initiative, organizations will be most successful at building a human firewall if there is buy-in from senior leadership. There has to be a top-down approach to creating a “culture of cybersecurity”. This must be taken seriously as a threat and treated as part of ongoing organizational preparedness planning. Leaders must also acknowledge the role of the human firewall in patient safety.
A chief information security officer should be appointed to coordinate cybersecurity efforts. Together with this individual, leaders must develop a robust business continuity plan to safeguard as much data as possible and bring the organization back to working order in the event of a cyberattack.
Staff Education & Training
Leadership should emphasize that all staff these days—not just IT—need robust training and, routine refresher courses. Even though all staff should participate in trainings, the material does not need to be the same for everyone. Appropriately tailor training for different positions within the organization and take into consideration the technology used in specific staff roles.
It's also important to train staff on non-conventional intrusions. Organizations can run trial campaigns to evaluate whether employees appropriately respond to “test” cyber challenges.
Cybersecurity attacks need to be included in the organization’s emergency management plan. This entails the necessary reporting and disclosures of data breaches when an intrusion occurs.
These days, cybersecurity preparedness is a matter of “when”, not “if”.
IT Security Team Resources
There are a plethora of resources all at price points to address cybersecurity. Make it a priority to invest in security tools when needed.
Recommended free resources include Cyber Insurance Carriers, Cybersecurity & Infrastructure Security Agency (CISA), Healthcare and Public Health (HPH) Sector Coordinating Council, Internet Crime Complaint Center (IC3), and National Institute of Standards and Technology (NIST).
Cybersecurity is everyone’s job, but we are always willing to share our winning practices. A Cybersecurity Alert on our website is available for public use. Let’s work together against these dangerous crimes!
Patrick Ross is Association Director of Federal Relations at The Joint Commission.
Mike DeGraff is Director, Enterprise IT Security, at The Joint Commission.