Cyber Threats: Guidance for Smaller Healthcare Organizations
If one message rang clear during HIROC’s cyber workshop in July, it’s that we are all in this together. Cyber threats are constantly mutating, with hackers upping their game. Now more than ever, healthcare data is a primary target.
This is not to say that every organization is fighting these threats with the same level of education and resources. For some healthcare organizations, on top of everything else, it can be a challenge to keep up with the latest cyber risks.
While it may seem like an uphill battle, our workshop presenters offered guidance on scaling to smaller organizations.
Engage a third-party to help with ransomware awareness
When teams are small and resources are limited, it’s important to consider outside support.
“We recommend that you research forensic experts in advance of a cyber attack,” said Gareth Lewis, HIROC’s Vice President of Claims. Consider the size, scale, and experience of vendors when doing your research.
Audits and staff education are other areas that a third-party can assist with.
“One of the most effective audits you can do, and share the results with your board… is a ransomware readiness audit,” said David Stankiewicz, Chief Information and Privacy Officer at Trillium Health Partners.
Many of our Subscribers mentioned their experiences with third-party vendors in the event chat. If you’re looking for a recommendation, consider reaching out to your healthcare network to see what has worked well for other organizations.
Develop an incident response plan
“Not only do we strongly encourage all Subscribers to have an incident response plan in place,” said Marnie MacPhee, Director of Claims at HIROC; “but it should be practiced.”
HIROC has several resources available to assist Subscribers with developing a plan and running scenarios:
- Cyber Risk Management Guide
- Key Measures for Preventing and Mitigating Cyber Attacks and Ransomware
- Hosting a Successful Cyber Breach Tabletop Exercise
- Planning for Cyber Security Incidents: A Crisis Communications Guide
Also consider checking out:
- Cyber Security Centre of Excellence
- Canadian Centre for Cyber Security
- Cybersecurity & Infrastructure Security Agency
“Don’t underestimate the value of partnerships in your local area,” said Stankiewicz. He explained that Trillium partners with local hospitals to communicate what’s going on and to help each other out.
Smaller teams can leverage partnerships with their local health networks to share tools, resources and lessons learned.
“Look into your regional RSOC and what’s going on there,” said Laura Viola, Director of Information Security, Sunnybrook Health Sciences Centre. The team at Sunnybrook joined the Toronto RSOC (Regional Security Operations Centre) held by UHN.
Viola also recommends developing strong bonds with your Human Resources department which can help teams build up their expertise and ensure a competitive rate.
Get creative with staff education
Understanding that employees are your first line of defense against cyber attacks is critical. As such, employee awareness training cannot be understated.
While training vendors can be a great resource, Simeon Kanev, Privacy Business Lead, Alliance for Healthier Communities, understands that they are not affordable for every organization. Partner with likeminded organizations, shares resources, test and iterate. “Training should not be a simple checkmark in a box.”
When there is a lack of funding, shared Kanev, you need to get creative – engage staff with relevant examples, humour (used judiciously), polls, and animations. “Sprinkle various tactics across the organization and you will see how it gets staff attention,” he said.
If you registered for the July workshop, you will have received an email from Spark Conferences providing the link to watch the sessions on-demand. Please feel free to share these recordings with your teams – we are all in this together.
And as your insurance partner, HIROC is here to support your coverage and risk management needs. Reach out to us with questions any time at email@example.com.