As National Cyber Security Month draws to a close, it’s a good time to think about how everyone in a healthcare business has a part to play in keeping sensitive data protected and systems secure. Every employee must take responsibility if we are to maintain cybersecurity while continuing to use the digital assets and connections that make our work possible.
National Cyber Security Awareness Month & the Alliance
National Cyber Security Awareness Month was created as a partnership between the Department of Homeland Security and the National Cyber Security Alliance. The Alliance is group of public and private partners who have come together to achieve a specific mission: To educate and empower our global digital society to use the internet safely and securely. The Alliance includes many industries and sectors—small- and medium-sized businesses, nonprofits, academic institutions, multinational corporations and governments.
Themes of NCSAM Reflect Our Most Pressing Concerns
National Cyber Security Awareness Month is one way the Alliance gets its message out, with a focus on a different theme each week:
- Simple Steps to Online Safety
- Cybersecurity in the Workplace Is Everyone’s Business
- Today’s Predictions for Tomorrow’s Internet
- The Internet Wants You: Consider a Career in Cybersecurity
- Protecting Critical Infrastructure from Cyber Threats
Each theme is relevant and pressing for healthcare organizations, but we want to focus here on the second one: “Cybersecurity in the Workplace is Everyone’s Business.” The best way to prevent cyber threats from becoming major problems is to have all employees take a share of the responsibility for cybersecurity
Why Cybersecurity Is Everyone’s Business In Healthcare
The National Cyber Security Alliance sees all of us as digital citizens, and with good reason. Most of us have a digital life that we must manage every time we log in to systems at work, shop online or use social media. These activities are second nature to us now, and sometimes we’re on “autopilot” as we navigate our digital lives.
The Alliance encourages us as digital citizens to become mindful of our digital lives and choices—to STOP. THINK. CONNECT.™. This is especially important for healthcare organizations because our routine activities include accessing and managing highly sensitive information about patients and providers.
Earlier this year, Britain’s National Health Service (NHS) fell victim to the WannaCry ransomware attack, causing upheaval and chaos throughout the system and potentially causing harm to patients. Clinics had to close and services slowed as the NHS tried to manage the breach and regain access to critical data that the hackers were holding hostage. The main reason the hackers were able to launch this attack was that many parts of the NHS were using old software that they failed to update
This is an example of how everyone has to pay attention and get involved in protecting data and promoting security. Software updates might feel like a hassle as we’re trying to focus on getting the work done. But a software patch or more robust version is only useful if we install it.
Cybercriminals know how much healthcare organizations depend on data to deliver care. They will attempt more ransomware attacks and theft of private information. It’s up to each of us to make sure we’re using the tools given to us to protect our organizations.
The Cybersecurity Challenges For Smaller Businesses
It can be particularly difficult for smaller businesses to defend against cybersecurity threats because they simply don’t have as many resources—both money and expertise—to identify and address the threats. Cybercriminals know this, and are increasingly looking to launch cyberattacks on smaller businesses.
The data show that, in fact, this is exactly what is happening. In 2016, Ponemon Institute, LLC surveyed 598 individuals in businesses with 1,000 or fewer employees. The resulting 2016 State of Small & Medium-Sized Business (SMB) report showed that half of these businesses had security breaches in the 12 months before the study.
How was this happening? The researchers found that 59 percent of these companies had no way of seeing employee password practices and standards, or “password hygiene.” Although many of the business have a password policy, 65 percent reported that it wasn’t enforced. To complicate matters, about a third of these companies outsource some part of the digital management to another businesses.
Addressing the Security Challenges For Smaller Businesses
To help smaller businesses, the National Cyber Security Alliance has launched CyberSecure My Business™, a training program to help businesses of all sizes learn how to be safer online. The program focuses on making security everyone’s business, and includes live workshops, webinars and materials to help businesses shore up their cybersecurity efforts.
The CyberSecure My Business™ framework includes five major strategies for equipping businesses of any size to address cybersecurity:
- Identify. What are the “crown jewels” of your business? What data or systems would keep you from being able to continue working if they were compromised? What data or assets would a criminal see as valuable? Keep a list of these assets, how to access them, and who has access to them. Things can change, so update it regularly.
- Protect. Once you’ve identified your business’s precious digital assets, it’s time to protect them. Back up data regularly. Use a strong authentication process to make sure only authorized users have access to the data and assets, and only those who need access have it. Keep both hardware and software updated so you have the latest security features. Train employees to recognize phishing emails and other security threats.
- Detect. You must be able to find out when something has gone wrong—the sooner the better. Train employees to spot systems that are behaving strangely and raise the alert. Stay aware of potential threats, like criminals using your brand in phishing expeditions to get data from your unsuspecting customers. Use products and services to monitor viruses and other threats to your systems and data.
- Respond. A security breach can be a disaster, but like natural disasters, it helps to be prepared to respond. Have plans in place for fixing the problem and finding out what’s been lost and who is affected. Make a plan for continuing your services while you are addressing the problem. Depending on the problem and who is affected, you’ll need a plan for communicating with those affected and complying with laws about reporting the incident.
- Recover. Have a plan for restoring your systems to their normal functioning. Assess and fix whatever vulnerability led to the breach to avoid problems in the future.
You Can Make the Plans, But You Need Everyone to Carry Them Out
Cybersecurity has to be everyone’s business. It’s important for business owners and managers to establish good plans and policies to prevent cyberattacks. But it will only work if we all take responsibility to stop and think about cybersecurity before we connect. Every day. Every log in. Every email. Every foray into the digital wilds online.