The healthcare industry is one of the biggest targets for cyber criminals, and whether you run a small practice or a large hospital, your organization is at risk. October is National Cybersecurity Awareness month, so it’s a great time to think about your organization’s own policies for cybersecurity and consider whether some changes should be made to protect your patients’ sensitive personal data. Not sure you should reassess? Consider this: Nearly 90% of healthcare organizations experienced a security breach in the past two years, costing these organizations an average of $2.2 million per breach. Now that at least 59% of hospitals in the U.S. are using some kind of electronic health record (EHR), these records are more vulnerable to hackers than ever before. While criminal attacks are the leading cause of data breaches in healthcare, negligence and unauthorized access play a role in breaches as well. Is your organization prepared for a breach? Here are 7 ways to create a cybersecurity culture in your healthcare business and keep data safe.
1. Make security a core value
Make security a part of your core values—and make it everyone’s responsibility. It’s difficult to maintain security if most members of the organization simply don’t know the risks facing patient records, or how to be part of the security process. Managers should be called upon to set a good example when taking security measures and refrain from taking shortcuts or turning a blind eye when others do so. Implement accountability expectations and train your staff to be vigilant and proactive at all times. Ongoing training and involving your staff in the security process will help instill a cybersecurity culture that lasts. Communication is key for creating any new cultural values.
2. Maintain and monitor equipment
Computers within the organization should be kept up-to-date to avoid security vulnerabilities, and should always be equipped with encryption and a firewall. Any software that is non-essential to the job function it serves should be uninstalled (such as games or messaging platforms), as these applications can increase vulnerabilities. Any mobile devices used by employees should be used for work only, and equipped with encryption technology to protect patient information. Mobile devices are at a greater risk for security breaches, and if they are necessary for employees, very strict policies should be enacted to reduce the chances of an IT incident. Employees should be accountable for their devices and understand the inherent danger of transporting data, due to theft, loss, unauthorized access, and hacking. Communicating the extra risks involved with mobile devices is crucial, as there are so many situations on the go that can expose sensitive data to unauthorized access.
3. Make a breach response plan
Recognition that breaches will occur is an important part of any cybersecurity culture. Unfortunately, it’s not always possible to avoid data breaches, so having a response plan is important for maintaining reputation and minimizing damage from the breach. Train your staff to notice signs of a breach, and have written protocols for how to respond should someone suspect unauthorized access to your organization’s data.
4. Back up your data
Recognizing that even the physical equipment you have could fail or be compromised by a natural disaster or physical theft, having backups of your data is an important part of creating a cybersecurity culture. The backups should either be stored in an alternate location (if they are physical backups) or in a secure cloud-based location that follows best practices for security and storage. Automatic backup systems are the most secure and less likely to result in errors than manual copying.
5. Empower your staff to be inspiring leaders
Transformational leadership is a leadership style that works by inspiring others and transforming behavior to work toward the good of the organization. This leadership style can be employed by those with strong leadership qualities—not just appointed managers. Encourage your staff to set a good example for each other and help others to be a part of keeping data safe and secure.
6. Change credentials regularly
Your employees may not know what a strong password includes but cybercriminals do. Giving your staff the knowledge to create strong credentials is key. Passwords should not be made up of words found in the dictionary, even if some of the letters are changed to numbers, and should definitely not relate to personal information that could be guessed. Enforce regular password changes, and communicate the reasons for these policies—your employees will be more likely to comply and become involved with the process if you tell them the reasoning behind the processes.
7. Train on the basics
Because human error is often the cause of a data breach, knowledge is key to preventing cybercrime. Training your staff on encryption, firewalls, and network access so they understand what the vulnerabilities are can help create a comprehensive picture of why cybersecurity is an important organizational value. Your team doesn’t have to be made up of experts but giving them the tools to prevent human error as much as possible, and potentially avoid physical or digital data theft, will help everyone become involved in a new culture of cybersecurity.