Topics
Reimbursement
Proposed inpatient payment rates 'woefully inadequate' AHA says
Proposed inpatient payment rates 'woefully inadequate' AHA says
Revenue Cycle Management
Healthcare consumerism: Helping improve the patient payment journey
Healthcare consumerism: Helping improve the patient payment journey
Strategic Planning
Intermountain Health spinoff Culmination Bio announces partnership 
Intermountain spinoff Culmination Bio announces partnership 
Capital Finance
Tech investment must bring value to care delivery
Tech investment must bring value to care delivery
Supply Chain
HIMSSCast: Embrace technology to replace the mundane tasks
HIMSSCast: Embrace technology to replace the mundane tasks
Accounting & Financial Management
Cigna reports $277 net loss amid VillageMD Clinic asset decrease
Cigna reports $277 net loss amid VillageMD Clinic asset decrease
Budgeting
Insurers likely to pay $1.1 billion in rebates this fall
Insurers likely to pay $1.1 billion in rebates this fall
Quality and Safety
Hospitals improve their patient experience and infection scores  
Hospitals improve their patient experience and infection scores  
Billing and Collections
No Surprises Act implementation coincided with in-network claims growth
NSA implementation coincided with in-network claims growth
Claims Processing
UnitedHealth's 'band-aid' payment for Change disruption falls short, hospitals say
UnitedHealth's 'band-aid' payment falls short, hospitals say
Workforce
HIMSSCast: The need for home care continues
HIMSSCast: The need for home care continues
Operations
HHS seeks input from payers on Change cyberattack response
HHS seeks input from payers on Change cyberattack response
Medical Devices
Healthcare chatbots may promote racist misinformation
Healthcare chatbots may promote racist misinformation
Hospital/physician relations
Hospitals, physicians submit opposing views to FTC ruling on noncompetes
Hospitals, physicians submit opposing views to FTC ruling
Construction & Facilities Management
Henry Ford, Michigan State research center to be built for $335 million
Henry Ford, MSU research center to be built for $335M
Compliance & Legal
MGMA wants Change to take responsibility for HIPAA breach notifications
MGMA wants Change to take responsibility for HIPAA breach notifications
Policy and Legislation
HHS strengthens disability discrimination protections
HHS strengthens disability discrimination protections
Community Benefit
Nonprofit hospitals' charity care falling behind tax breaks, report shows
Report: Hospitals' charity care falling behind tax breaks
Accountable Care
Moving beyond financial incentives to engage specialists in ACOs
Moving beyond financial incentives to engage specialists in ACOs
Acute Care
Acute Hospital Care at Home data released 
Acute Hospital Care at Home data released 
Ambulatory Care
Walmart announces closing of clinics and virtual care
Walmart is closing clinics and virtual care
Analytics
Children's Hospital Colorado creates analytics resource center
Children's Hospital Colorado creates analytics resource center
Business Intelligence
Racial disparities put further strain on primary care
Racial disparities further strain primary care
ICD-10 & Coding
Physician practices examine risk adjustment coding in wake of federal lawsuits
Practices keeping close watch on risk adjustment coding
Meaningful Use
CMS overhauls meaningful use EHR program, renames it 'Promoting Interoperability'
CMS overhauls meaningful use as 'Promoting Interoperability'
Medicare & Medicaid
More Medicare enrollees are choosing supplement plans, data shows
More Medicare enrollees are choosing supplement plans
Patient Engagement
Commonwealth Fund creates employer-based health insurance task force
Commonwealth Fund creates health insurance task force
Pharmacy
Evernorth offering Humira biosimilar for $0 out-of-pocket
Evernorth offering Humira biosimilar for $0 out-of-pocket
Population Health
CDC warns clinicians to look out for bird flu cases
CDC warns clinicians to look out for bird flu cases
Risk Management
UPMC for You partners to offer Medicaid redetermination coverage in laundromats
UPMC for You offers Medicaid redetermination coverage in laundromats
Telehealth
Telehealth boosts outcomes, spending, as regulatory flexibilities are in question
Telehealth boosts outcomes, spending
Mergers & Acquisitions
Novant Health and CHS counter FTC bid to block hospital deal
Novant Health and CHS counter FTC bid to block hospital deal
View more
Oct 15, 2018 More on Strategic Planning

How to build an effective cybersecurity strategy on a tight budget

Basic building blocks of a good information security plan can be found at lower costs than many might expect.

Beth Jones Sanborn, Managing Editor

Cybersecurity is a must. As daunting as it appears with hackers positioning to storm the gates of your network, and with healthcare being among the most attacked industries, it is essential that large hospitals and small physician practices alike place the appropriate guards at those gates to keep cybercriminals out -- and crucial patient and system information inside.

Consider: 12 percent of hospitals lack even basic IT security systems, according to a new state of the health IT industry report from HIMSS Analytics. And that's despite the finding that 29 percent of all breaches hit healthcare entities last year.

But there is good news. Some of the basic components to any cybersecurity strategy can be obtained without great expense, according to infosec experts we interviewed. Here's what they said about asset inventory, vulnerability assessment, patch management, network monitoring and user education. 

Basic infosec building blocks go a long way

Cybersecurity expert and CEO of HSTpathways Tom Hui said the first action items for organizations looking to make their security stronger is to gather the facts: establish a baseline of what you are doing and what you are not. Then establish a list of issues and priorities.

"That's how you really start to get your arms around it. I think it would be a mistake to just run out and hire a consultant or vendor and do a security audit. You are starting from a place of not even knowing the right questions to ask," Hui said. "That is the least effective way to use money."

Kevin Johnson, CEO of cybersecurity and consulting firm SecureIdeas added that when it comes to tools, asset discovery is first and foremost. You need to know what is on the network because all infrastructure pieces, from the high end to a $30 router from Walmart, have the ability to tell you what devices are connected to the network. The trouble is, most small organizations don't look. You need to look.

Second, you need some type of vulnerability assessment. Luckily, free software is available for this, though you do need someone who is tech-savvy enough to run it.

Stephen Collins, senior information security consultant at CynergisTek agreed that asset management for PCs, servers, and data, vulnerability management, anti-virus software and log correlation are some of the bare bones tools that can help healthcare providers improve security on a tight budget. There are commercially available tools to with varying prices as well free open source options.

"The old adage, 'You cannot protect what you cannot identify' speaks to the importance of asset management. Without asset management, an organization cannot adequately map data flows, know where critical data is, hope to back up critical systems, and thus recover from a disaster. Asset protection using tools to know what and where to patch and protecting assets with anti-virus is fundamental. Lastly, logs should be monitored for suspicious activity," he said.

Patch management and network monitoring

Johnson stressed that applying patches and making sure systems are up-to-date is critical, and advised that this could be as simple as turning on patch management auto updates -- particularly when pricier patch management solutions are cost-prohibitive for smaller organizations.

Collins said some vulnerability management systems pull double duty and also provide insight into assets, but noted that you will have to combine the output from many different tools to build a complete inventory of assets, such as laptops, workstations, servers, mobile devices, etc. and the necessary information stored on them. So, each tool will help give a complete picture of the environment as you protect your assets.

"The takeaway is to leverage each tool in full to help the other objectives as much as possible," he said.

Hui called patch management a very mixed bag. There's a lot of involvement in terms of configuration and some of the challenges include that from time to time a patch can be in conflict with the software version you are running and in such cases updating causes unintended consequences.

Also, there can be configurations that get reset and then automated patch updates stop occurring. This is something providers need to stay on top of to prevent hiccups in operations.

Network monitoring is a given and should include intrusion detection and failed logins, which can be determined by applying intelligence and benchmarks to discern unusual behavior.

Cyber cost benefit analysis

When Hui speaks with CEOs and administrators that feel the budget crunch, he tries to make sure they understand that these are choices they are making and that cybersecurity like anything else is a cost benefit analysis. For most healthcare providers when they are thinking about whether they want to buy another microscope or other equipment, it's pretty easy to think about that in terms of cost-benefit. There's a price to acquire it and then they can calculate utilization and project what kind of revenues they'll get from it and make a decision.

Cybersecurity is more complex and subtle though, because when you invest in cybersecurity you don't actually create measurable revenue. The absence of negative events is the benefit but that's that a really difficult concept for people to swallow.

"I try to get CEOs to think 'if you go through a year and you have no successful hacks, then you look at the amount of money you spent and that's your benefit. It's a passive benefit."

Collins also weighed in, calling training and awareness paramount. He stressed that breaches are often avoidable, especially when you consider the number one attack vector is employees via phishing.

Don't forget partners and vendors

You should also conduct an inventory of your vendors, include them in your cybersecurity conversation and plans, and if you have doubts about their commitment or expertise, then you need to more thoroughly vet them or talk to them.

"They are in your hospital accessing your network. It ties right back to knowing who and what is on your network. It's just a matter of having that conversation. "

Hui cited external communication as an area ripe for potential vulnerability. Most people don't realize that faxes are not encrypted and can be prone to human error. As an example, he recalled an incident years ago where a medical facility faxed medical records to a wrong number.

Luckily, in that case, the recipient was also a medical provider and called to notify the sender of the mistake, which could have spelled a HIPAA disaster.

Education: the cornerstone to a necessary security culture

Although it's been said before, education is so critical to cybersecurity that no plan is complete without it.

"If you are not educating your staff I don't care how well you do anything else," Johnson said. "Everyone needs to care about security and how to accomplish it in their own part of the workplace. All staff have a role to play, and ignoring that almost ensures a breach."

Hui strongly echoed that sentiment and so did Collins. Hui said in almost all organizations, staff education is lacking and leaders need to step up their game when it comes to integrating it into the culture.

Human error is still the greatest liability, and the hacking that is purely a technical hack is the exception not the rule. Usually it's exploiting weaknesses or inconsistency in user behavior.
Phishing is one of the most common methods, and criminals just need one successful event to get into a system and wreak havoc.

That's exactly where education comes in, and it should not just be a one-time session. Recurring education must be a regular part of the workplace.

Johnson said sometimes with cybersecurity education, it's best to start the conversation on a more personal level. Talk to staff about why security is important to them personally. If you teach people how to protect themselves at home, they will pay more attention and that behavioral change will translate to their organization. Having a serious dialogue also clues other staff into the reality that that issue is something the leadership really care about, and so should they.

Security as SOP

In the end, although there is no silver bullet or single tool that addresses everything, basic blocking and tackling of asset inventory, vulnerability assessment, patch management, network monitoring and user education can accomplish a lot.

"The key is to commit to information security early on, use tools that provide solid information and protection and develop a culture of being secure," Collins said. "As your organization grows, your toolset may change, but if you make security a standard operating procedure, really incorporate security into your IT operations, the payback will be enormous."

Focus on Cybersecurity

In October, we take a deep dive into security strategy and pressing threats.

Twitter: @BethJSanborn
Email the writer: beth.sanborn@himssmedia.com

News
Healthcare organizations ask HHS to delay quality measure reporting for ACOs Healthcare organizations ask HHS to delay quality measure reporting for ACOs The American Hospital Association and American Medical Association are among the 11 organizations signing the letter.