Post-COVID cybersecurity has been driven to new heights of threats, costs, awareness, and accountability. With the latest news regarding breaches, it’s no surprise that cyber-insurance premiums are continuing to rise. So, what can you do to deliberatively improve your healthcare cybersecurity posture? Focus on protecting your infrastructure, cloud environments, and educating your people. How, exactly? Here’s a checklist:
Complete a Thorough Security Risk Assessment (SRA)
Completing a security risk assessment (SRA) annually is required per the HIPAA Security Rule. It’s a baseline assessment of Administrative, Physical and Technical Safeguards that protect PHI. When completing your SRA create a risk register of the high, medium, and low risk to PHI. Then, using your risk register, determine how the organization will remediate each risk. Finally, begin remediation of the identified risks to PHI.
Complete a Black-Box Penetration Test
Complete at least a black-box penetration test of your environment. Use an “ethical hacker” with “Rules of Engagement” to uncover your infrastructure’s vulnerabilities. Then, post-penetration test, remediate the discovered vulnerabilities. Not sure where to start with this task, reach out to Kyber Security!
Identify Your Organization’s Third-Party Risks
- First step: Determine which third-party vendors have access to your environment.
- Second step: Verify all vendors who have access to your organization’s PHI have been identified as Business Associates (BAs) and have signed your Business Associate Agreement (BAA).
- Third step: Demand each BA provide evidence that they have completed a security risk assessment (SRA) per #1 (above). If they’ve signed your BAA and have not completed an SRA, then they are in violation of your BAA.
- Fourth step: Organize your third-party vendors into high, medium and low risk. Send high-risk vendors a questionnaire that thoroughly reviews their business practices as they relate to working with your organization.
- Fifth step: Send medium and low risks vendors a questionnaire that provides the due diligence needed for your organization.
Based on your results (from #’s 1-3, above), consider following the NIST CSF.
Explore The NIST Framework for Cybersecurity Enhancement
The National Institute of Standards and Technology (NIST) has developed a comprehensive set of guidelines known as the NIST Cybersecurity Framework. This framework is an invaluable resource for organizations of all sizes and types, but it is particularly beneficial for healthcare institutions responsible for protecting sensitive patient data. There are several reasons why you might want to adopt NIST’s Cybersecurity Framework or consider a NIST-guided crosswalk to your existing Security Risk Assessment (SRA).
- Standardized Approach: One of the greatest benefits of using the NIST framework is its structured methodology. This provides a common language and systematic process for managing cybersecurity risks, which can be particularly useful for facilitating discussions and decision-making at the Board level.
- Customizable: The NIST Framework is modular and can be tailored to fit your specific healthcare environment. Whether you are a small clinic or a large hospital network, the framework can be scaled to match your unique needs and capabilities.
- Regulatory Alignment: Adoption of NIST’s framework can simplify your compliance landscape. Since it’s often used as a basis for other regulations and standards, incorporating it can offer a smoother path to achieving compliance with laws such as HIPAA.
How to Implement NIST Frameworks
- Gap Analysis: The first step in adopting the NIST framework involves conducting a gap analysis to identify where your organization currently stands in terms of cybersecurity measures.
- Selection of Applicable Framework Components: NIST offers multiple components, including Identify, Protect, Detect, Respond, and Recover. Choose the ones most aligned with your organizational goals and vulnerabilities.
- Action Plan Development: Once you’ve selected the appropriate framework components, the next step is to develop a comprehensive action plan. This plan should outline your objectives, the resources needed, timelines, and responsible parties.
- Continuous Monitoring and Updates: Cyber threats are ever-evolving. Therefore, your use of the NIST framework should be dynamic. Regular reviews and updates are essential to adapt to new threats and technologies.
- Training and Awareness: Educate your staff about the framework and why it’s crucial. An informed team is a critical asset in maintaining a robust cybersecurity posture.
By leveraging the insights from your initial SRA and the previous steps, adopting the NIST framework can offer a more robust, adaptable, and effective approach to managing cybersecurity risks. This proactive measure not only safeguards your healthcare organization but also builds trust with your patients and stakeholders.
What’s the next step? Begin. No hesitation. Not, “When we have time”. The Bad Guys are trying to break in and/or wreak havoc on your organization right now. Best first step? Call Kyber Security!