Healthcare systems across the globe have been plagued by cyber-attacks in the last few years. Hospitals, when compared to other industries, present a tempting target for attackers due to the critical nature of their operations and the opportunity to cause massive disruption. A major contributing factor to the success of these attacks? Poor cyber hygiene.
Just as hospitals maintain robust physical hygiene practices – like frequent handwashing to prevent the spread of disease – cybersecurity should be treated no differently. To prevent cyber-attacks, health care providers must pay careful attention to their cyber hygiene or find themselves facing unexpected, costly and potentially life-threatening consequences.
Defining clinical cyber hygiene
Clinical cyber hygiene refers to an organization’s ability to discover, assess and manage cybersecurity risks on an ongoing basis. Essentially, it details the methods and mechanisms organizations use to maintain the privacy and integrity of their clinical networks and prevent the spread of cyber-attacks.
Clinical cyber hygiene is important, as it reveals how well an organization recognizes cybersecurity risks. Having robust cyber hygiene not only improves the efficiency of clinical operations but ultimately improves patient safety and privacy as well. It ensures that the personal information of patients is protected from compromise and maintains an organization’s ability to deliver critical care in the event of an attack. With the health care sector reporting the highest number of ransomware attacks in history, it’s time for all healthcare organizations to improve their clinical cyber hygiene.
Here are four best practices we’ve seen health care providers leverage to their advantage:
1. Profile all devices on the clinical network
Do you know about every single device on your network? If not, how will you protect them? Healthcare organizations need to be able to identify 100% of the devices hosted on their networks and, beyond that, they must have a digital fingerprint of each one. This includes information such as manufacturer, model, OS, hardware, app versions, physical location, network status, security posture and utilization patterns. As new devices are introduced to the network, it is essential to maintain a detailed and accurate database of all connected assets. This will drastically improve the efficiency of security audits and patching should any vulnerabilities be discovered.
2. Give each device a multi-factor risk score (and review constantly)
Risk scoring is a continually evolving process, that helps organizations identify their most vulnerable assets or devices on the network. Risk scores shouldn’t just be calculated based on the risk of compromise, they must also factor in potential impacts on patient safety and clinical operations. For example, if two devices have roughly the same risk of being compromised, but one of these could result in the exfiltration of sensitive patient data, that would be assigned a far higher score. Organizations with robust cyber hygiene continuously re-evaluate risk scores and adjust them as necessary.
3. Take a methodical and cross-functional approach to risk management
It is essential to have a clear methodology in your risk management program, as it only takes one weak link to undo all your hard work. For example, a risk management program that covers all internal health care facilities and devices, but doesn’t factor in clinical partners, leaves a significant gap. Furthermore, having a clear methodology is imperative for performance tracking – it’s impossible to measure improvements or identify problems if there is no agreed baseline. Given the highly mobile nature of medical devices, and the continuing fragmentation of care delivery, risk management must encompass all operations.
4. Use device monitoring insights to inform procurement
Ongoing device monitoring enables healthcare providers to identify vulnerabilities in different devices and establish patterns. Those responsible for procuring medical devices can draw upon this information during the decision-making process to ensure they purchase the most secure devices, which will reduce the overall risk of compromise.
As the saying goes, you get nothing for nothing. While it takes time and dedication to improve cyber hygiene, the effort is very much worth it. As the healthcare sector continues to be a prime target for threat actors, the actions (or inaction) of healthcare providers will have greater implications for patient safety than ever before.
– Samuel Hill is the Director of Product Marketing at Claroty.