4 Effective Cybersecurity Tips to Prepare Your Healthcare Organization
As healthcare organizations across Canada focused their efforts on the fight against COVID-19, another pervasive threat loomed in the background.
Cyberattacks have unfortunately increased in frequency over the course of the pandemic, especially with the expansion of remote work and reliance on virtual care systems.
Knowing how critical it is to address and spotlight this growing concern, HIROC organized a Risk Management Clinic centering around Cyber Breach Preparedness for Healthcare Organizations and invited delegates to take a half-day to learn, share best practices and collaborate with one another.
There was a sense of urgency and eagerness among attendees to see what critical information they could bring back to their organization.
The following four tips are from both HIROC Subscribers and partners who spoke at the Clinic, providing their expert insights and experiences to help strengthen cybersecurity initiatives.
1. Prepare Your People – The First Line of Defence
After undergoing a Code Grey last September, Michael Garron Hospital’s (MGH) Allan Oh, Manager of Information Technology, and Laurie Bourne, Director of Quality, Operational Excellence and Innovation, made it a point to make cybersecurity education a priority for staff.
To prevent any future cybersecurity incidents, cyber education is now part of MGH’s mandatory annual training, which Oh says is similar to WHIMIS or emergency code training. Part of the training is conducting mock internal phishing campaigns to gauge how well MGH staff are prepared to respond to an attack.
Kyle Gray, Director of Underwriting at Ridge Canada, also emphasized the importance of conducting proper cybersecurity education.
In the world of insurance, a rising trend in cyber breach incidents, particularly ransomware attacks, has made them seem inevitable. Gray recommends every organization focus on maintaining good cyber hygiene, which includes initiatives such as staff awareness training, multi-factor authentication, creating regularly tested backups, and system patching which are all critical to reducing exposure.
However, Gray suggests that creating an organizational culture that prioritizes cyber education must start from the top to be the most effective.
“It needs to be from the top-down,” said Gray. “It can’t just be frontline employees learning about this, it needs to be known at a board level and given the appropriate time and resources to practice.”
2. Create a Formalized Incident Response Plan
According to Stephen Hampton, Senior Director of Insurance Markets and Incident Response at CyberClan, a proper incident response plan is only effective if it’s prescriptive.
“If you have a prescriptive plan, you should have a specific section or module for ransomware,” said Hampton. “You should also have a separate plan specifically for communications that moves conversations off the corporate email system in the event of a breach.”
“If there is a contact list as part of your plan, the individuals on the list need to know that they could be getting a call early in the morning and will have to respond,” said Gareth Lewis, HIROC’s Vice President of Claims. “They’ll need access to the response plan potentially outside of the corporate systems, which may be shut down.”
From Hampton’s experience, the best and most efficient outcomes normally come from plans that have a defined decision-making tree, which starts with C-suite to individuals overseeing legal, privacy, and IT.
“A good plan has a workflow to explain what to protect and contain, stopping the infection from spreading critical data,” said Hampton. “The faster you can engage your incident response team, the faster you can protect your crown jewels.”
3. Don’t Handle It Alone – Notify Your Vendors and Partners
The first few moments after a cyber breach is discovered are critical in getting control of the situation. During their Code Grey emergency, the team at MGH wasted no time notifying their security vendors.
“One of the first things we did as soon as we learned of the Ryuk infection was to reach out to our new cybersecurity vendor,” said Oh. “They quickly mobilized and supported us, limiting and stopping the spread of the infection and starting the cleanup process.”
“From a safety and risk perspective, we notified HIROC and the Privacy Commissioner of Ontario on the first day of the Code Grey,” said Bourne. “We had a heightened vigilance around keeping staff and patients safe.”
Because the cyber breach affected many of the hospital's systems, Oh and his team had to take on the complex task of reviewing and rebuilding some of them to ensure they were cleared of the infection. During the process, they reached out to other hospitals for assistance.
“We relied on the amazing support of all our peer hospitals, most notably North York General Hospital, St. Mike’s, and many others who came on-site to provide assistance and support with our remediation work,” said Oh.
“We wouldn’t have been able to recover as fast as we did without the help from our peers, and it was great to see all the support from IT teams from hospitals all over Ontario,” added Oh.
The team also worked closely with E-Health Ontario to ensure the security of the network and prevent the infection from spreading across it to peer hospitals.
“One of our key takeaways was to ensure we have third-party validation and routine reviews and checks of our system,” said Oh. “We rely on external help to ensure we are keeping up with best business practices and standards, doing health checks on a regular basis.”
4. Create a Table Top Exercise – Reach Out to Us for Help
A core component of the Clinic was a live tabletop exercise simulating a cyberattack for all delegates to participate in, led by HIROC’s Privacy and Compliance Officer Kopiha Nathan.
Delegates were guided through two simulation emergency scenarios and discussed, step-by-step, how to respond to each as they unfold.
Tabletop exercises are an effective way of bringing together staff to test incident response plans and assess cyber breach response readiness by identifying their strengths and potential weaknesses, all with the goal of being better informed and prepared.
If your healthcare organization is looking for assistance in putting together your own cyber breach tabletop exercise, please don’t hesitate to reach out to firstname.lastname@example.org to take full advantage of all the resources HIROC has to offer.
JUST ANNOUNCED: Cyberattack Simulation Exercise + Your Questions Answered
Join us on July 8 @ 10:30 a.m. ET
By Marc Aiello, Communications and Marketing Coordinator, HIROC