Simple? Not exactly.
I read an article suggesting the best defense is also the most simple regarding healthcare cybersecurity.
The article states the two key steps are Multi-Factor Authentication (MFA) and staff training.
Cybercrime has grown steadily in all arenas. Yet in healthcare, the alleged “hands-off vertical” among hackers, data breaches have increased 55% from 2019, according to a report from Bitglass. To suggest all that is needed is MFA and staff training is naive.
I would contend, most health systems and other industries are using MFA. Some of the most recent breaches are among companies that would definitely have MFA as part of their standard policies and procedures. Is MFA important, most definitely, but is it the end-all-be-all cure to cybersecurity? Absolutely not.
I agree that any organization’s weakest link is its people. Training of staff is a critical element in cybersecurity. However, training alone on the basics of web-safe behavior isn’t nearly enough!
In healthcare, to keep skills sharp, medical providers must always be in a learning mindset. If you ever feel you have reached your destination, you are now behind. Honing your skills takes practice. Therefore, I would agree cybersecurity training for your employees is an essential part of your cybersecurity profile.
If overall cybersecurity were as simple as using these two essential steps, then the healthcare industry wouldn’t have seen such an increase in data breaches.
If cybersecurity isn’t simple, then how do I achieve it?
Understand, you can’t prevent everything.
- Despite all your efforts, investing in tools and services, focusing on training your staff, you will not prevent all attacks effectively.
- There will always be weaknesses, vulnerabilities, and the fact that people will make mistakes.
Take a Protect, Detect, and Recovery standpoint.
- Put policies and procedures in place to protect your organization.
- Continuously train your staff to not only have web-safe behavior but other critical skills: Password Management, Phishing training and testing, physical security measures, Data Security, etc.
- Include the right combination of tools that offer protection against cyber attacks. DNS filters, AV, Email filtering and monitoring, to name a few.
- Use a tested stack of tools for detection. Threats inside and outside of the organization, data monitoring, and security systems that will alert when someone (or something) tries to penetrate the system with immediate response tools/actions established.
- Have a proven method of recovery in place. This would include proper backup systems and procedures in place, management of restore points, etc. And most importantly, know what your incident response and recovery guidelines are to ensure when you are breached, you have coverage for that incident that won’t be denied due to only having a simple 2-step cyber defense posture.
Obviously, with all the resources, products (tools, hardware & software), and services on the market today, determining what is best for your business can be a time-consuming, costly, and frustrating process and won’t in and of themselves make you secure.
I would recommend you find a trusted consultant, advisor, or advocate who will not try and sell you specific tools and services but discuss your actual risk and risk tolerance and offer risk mitigation solutions. Saying cybersecurity is simple is understating the cyber environment’s reality today, but finding a solution doesn’t have to be complicated either.
If you need help with protection, detection, and recovery, PCS is here for you!
Have a question? Reach out today! (256) 513-8206
PCS Provides Total Secure IT Services
When is the last time you considered exactly what is at risk within your business? Telework, A Must For Employers In Today’s Work World. These topics and more are addressed in our monthly blog posts.