Re-posted with permission from PDC Healthcare and edited.
At PDC Healthcare (and the ISG), we are strong proponents of hospital cybersecurity in addition to on-site security at hospitals. In fact, we wrote a guide for healthcare professionals with tips on how to mitigate the risk of unidentified visitors. Is your hospital’s IT security ready for today’s digital threats?
This past May, computer networks around the world were hit with the WannaCry ransomware. One of the biggest victims of the attack however was the UK’s National Health Service (NHS). The attack locked down critical files and held them for ransom of bitcoins. NHS staff lost access to patient records, which impacted surgeries, diagnostic procedures, and even pharmacy orders. More recently, several hospitals in the United States were affected by NotPetya, a ransomware similar to WannaCry. Outlined below are four tips to help your hospital with modern security threats.
1. Keep Software Up-to-Date
In the case of the NHS’ WannaCry woes, a major cause of the problem was their continued use of Windows XP, despite it not being supported for years. While newer Windows operating systems received security patches to fix the exploit utilized by WannaCry, Windows XP never got any due to discontinued support. In fact, support was ended in 2014.
Currently, Microsoft plans to support Windows 10 until October 2025 and Windows 7 until January, 2020. Hospitals using Windows 7 should begin to strategize for an eventual move to Windows 10 or something even newer. If your hospital must use Windows XP to support older hardware, then see the next section.
2. Secure & Isolate Legacy Systems
Healthcare organizations have plenty of connected computers and systems, especially when it comes to electronic health records (EHR). In fact, EHR adoption rate has soared to over 90% in non-federal acute care hospitals over the past few years. Thanks to this increased interconnectivity, caregivers and patients enjoy easier access to patient information than ever before. However, some of these networked systems may have unsupported legacy hardware and software.
Having unsupported systems can put an entire network at risk. In order to help secure your network, take steps to document unsupported systems for eventual upgrade or replacement. If those systems cannot be updated due to hardware or software limitations, then it may be best to isolate them from the rest of the network.
3. Deploy Stronger Authentication & Access Management
Healthcare organizations are no strangers to mandating strong passwords, and even most ecommerce websites require a mix of upper case, lower case, numbers, and unique characters. But are strong passwords alone enough? To keep health records secure and ensure only authorized personnel have access to sensitive information, healthcare organizations should look at adopting two-factor authentication for staff.
What is two-factor authentication? Instead of computer systems requiring only a password, access can only be granted when a password and another proof of identification is provided. This proof can be a biometric, such as a retinal scan or finger print, or a key generated by another device. By using two-factor authentication, hospitals can ensure that a compromised password does not put the network at risk.
4. Train Staff on Safe Computing Strategies
One of the biggest improvements you can make to your hospital’s network security is to properly train staff on safe computing strategies and to create a culture that prioritizes security. All it takes is one employee to open an unsafe email attachment or link and your hospital’s patient records can become compromised.
Be sure to proactively and continuously train your staff on best practices and keep them updated on the latest security threats. Regular safety checks can also go a long way in keeping your hospital’s network secure and you’ll want to review your security often. The key to staying secure is constant vigilance through workshops, meetings, and training sessions.
Specific strategies you should educate your hospital’s staff on include:
- Regularly backing up data.
- Not leaving a logged in computer unattended.
- Not opening unsolicited emails from unknown addresses
- Avoiding opening links to or downloading from untrustworthy websites.
Contact us today for more information about the ISG’s logical security solutions.