Creating a Strong Cybersecurity Culture
As we’ve mentioned in previous news articles, the arrival of the COVID-19 pandemic compelled many healthcare organizations to move quickly and transition to virtual care programs so patients could continue to receive safe access to care.
With this massive digital shift in healthcare delivery, hospital systems and networks have never been more vulnerable to cyberattacks.
To address these virtual vulnerabilities, Spark Conferences organized the Cyber Security in Health Care Conference on November 18, with HIROC being an educational partner and supporter of cybersecurity awareness initiatives.
The online gathering had attendees from across the Canadian and American healthcare systems come together for a day of sharing experiences, risk mitigation strategies and insights as to how healthcare organizations can prioritize and support cybersecurity initiatives moving forward.
Building a Human Firewall in the Digital Age of Healthcare
“The reason why organizations are being called on now to focus on cybersecurity initiatives is because the pandemic accelerated healthcare’s digital transformation,” said speaker Michael Archuleta, Chief Information Officer at Mt. San Rafael Hospital in Colorado.
In his talk, Archuleta emphasized that while the healthcare industry is responding to this rapid digital transformation, organizations are not prioritizing cybersecurity as much as they should and they aren’t building the proper digital infrastructures needed to be successful and secure. He believes it’s critical for organizations to achieve a strong cultural understanding of the importance of cybersecurity by embedding it into their company’s overall strategy.
“Cybersecurity isn’t just about data security,” says Archuleta. “It’s a matter of life and death now that hospitals and clinics have become more like digital companies that happen to deliver healthcare services.”
Archuleta recommends healthcare organizations build up a strong human firewall as the first line of defense against cyberattacks. This means implementing cybersecurity awareness programs that not only build teams to educate frontline staff, but also incorporate senior leadership to show the importance of cybersecurity investments and truly help change the culture within organizations.
“Not all your employees have to be cybersecurity experts,” says Archuleta. “But we need to establish a strong cybersecurity culture because it truly advocates and includes everyone, including executive leadership.”
One of the ways Archuleta and the IT team at Mt. San Rafael Hospital educated and trained staff to recognize cyberattacks was by creating a program called “Clickers Anonymous.” The program simulated a phishing email across the hospital and identified which staff were clicking the links so they can receive further training.
“Letting staff understand the importance of systems being down and how it impacts the patient population is critical,” says Archuleta. “Explaining to the end-user the importance of cybersecurity is what sets us up for success.”
Implementing Multilayered Protection
One of the features at the conference was an actual hacking demonstration performed by Yousif Nakkash, Network Systems Support from the Department of Computer Science at Ryerson University. With his demonstration, Nakkash showed in real-time how an attacker can hack into a local computer running a Windows 10 operating system, starting from the initiation phase that uses targeted system exploits, to stealing directory information and changing the passwords of users.
During the demonstration, Nakkash took complete control of the targeted computer from a remote location. He was able to do things like take a secretive snapshot and even reboot the system. “If the computer had a camera or microphone, I would have been able to turn them on as well,” added Nakkash.
When Nakkash was asked about how healthcare organizations can protect themselves from these kinds of attacks, he explained the importance of keeping your operating system up-to-date, frequently installing security updates, and having both your firewall and antivirus software turned on.
“On top of creating awareness about phishing emails and link clicking, you can keep your local machines secure with multilayered protection by turning on your firewall and using recommended antivirus software,” says Nakkash.
The Lifecycle of a Cyberattack
To show what an attack looks like on the opposite side, HIROC’s Kopiha Nathan, Privacy and Compliance Officer, had conference attendees participate in the lifecycle of a cyberattack through a tabletop exercise simulation.
According to Nathan, tabletop exercises are a great tool for helping healthcare organizations validate their current cybersecurity response plan and breach readiness of their IT team. “Hosting tabletop exercises is a fantastic opportunity for your team to meet together and simulate a cyber-breach event,” says Nathan. “It’s a safe and secure environment where you can discuss your strategy and go through your playbook to assess vulnerabilities.”
To make the simulations feel as real as possible, Nathan recommends healthcare teams use resources like HIROC’s guide on Cyber Risk Management and the breach reports from the Privacy Commissioner of Canada, which look at lessons learned from well-known cyberattacks such as the infamous Equifax breach. With these reports, teams can prepare for potential breaches by making plan comparisons and assess vulnerabilities.
In one of the simulations, participants looked at who to contact when a cyber breach occurs involving an employee clicking on a phishing email link and entering their password. Nathan emphasized the importance of immediately involving your insurer, legal counsel assistance, your IT team’s Helpdesk and your internal communications team.
“In the event of a cyber breach, we encourage HIROC Subscribers to contact us as soon as possible,” says Nathan. “Top-down and bottom-up communication are key during these emergencies, so make sure your current crisis communications plan has an incident manager and is up-to-date for cyberattacks. Make sure your IT department knows who to contact, and update your insurer on a regular basis.”
Nathan says it’s critical for your organization’s reputation to get in front of a cyber breach emergency and control the situation. Healthcare organizations can do so by continuously training frontline staff to remain vigilant, practice good cyber-hygiene, and partner with privacy and compliance officers to ensure your organization meets regulatory expectations.
“As it’s been said many times today, it’s not a matter of if you’ll experience a cyberattack – it’s when,” says Nathan. “The more prepared you are, the better your response will be.”
By Marc Aiello, Communcations and Marketing Coordinator, HIROC