Stay Cyber Secure with These Tips

Gillian Brandon-Hart
Two speakers onscreen during HIROC's virtual Cyber Forum

As cyber security remains top of mind for many, HIROC recently hosted our fall Shared Experiences: Cyber Preparedness in Healthcare Workshop. As part of HIROC’s commitment to sharing knowledge, this event offered a half-day of virtual learning covering practical experience directly from our Subscribers and partners as well as showcasing the expertise of the team at HIROC.

Subscriber learnings

The workshop kicked off with a session from Michelle Westin, Director of Strategy and Innovation; and Raj Thanaraj, Manager of Information Management and Technology, at Black Creek Community Health Centre (BCCHC) who shared learnings from a cyber breach.

Three speakers, including Michelle and Raj, smiling onscreen during the cyber forum

BCCHC learned that early detection and clear communication are key. Adopting a “no shame, no blame” culture and cyber awareness help empower staff to report any suspicious activity quickly.

During a breach, regular and transparent communication helps build confidence and reduce confusion. Try to use clear, accessible, plain language in key talking points for staff and communications to clients and patients. And acknowledge the impact it has on staff by acting with empathy and being on site to check in.

Coordinated recovery and collaboration are critical for prioritizing operational impact and getting essential systems restored first like electronic medical records and payroll. BCCHC’s leadership and response teams met regularly with daily touchpoints and used a values-driven response incorporating inclusivity, accessibility and quality, to name a few.

The next session featured Victoria Ghandour, Director, Cybersecurity, Health Information Management, from William Osler Health System who spoke about how leadership and boards can govern risk.

Here are some suggestions for building a cyber security incident management plan:

  • Align it to your organization’s existing plans and best practices
  • Tailor it to capitalize on your strengths
  • Tie it into your mission, vision and values
  • If you’re part of a Local Delivery Group standardize this plan amongst members

The team at Osler also consulted board members with cyber security experience, their own senior leadership and HR teams, and HIROC for feedback on their incident management plan. “We’ve certainly engaged HIROC several times and it has been a wealth of information and knowledge that has really informed our playbook,” Ghandour added.

Victoria smiles as a HIROC employee thanks her for presenting

Ghandour also highlighted the importance of phishing email training for staff and offered some tips on how to do it:

  • Motivate staff (e.g., those who correctly report a phishing email are entered into contest)
  • Provide focused training for repeat clickers
  • Have mandatory annual training for all staff
  • Join smaller staff meetings like team huddles to provide more information on how to identify phishing emails
  • Share memos about known scams in the community
  • Ensure psychological safety so staff feel confident speaking up if they notice anything odd

Hot topics: AI, vendor management and incident response

Next, we learned about legal guidance for using AI and vendor management from Tory Hibbitt, Associate Counsel, at Miller Thomson.

Hibbitt’s advice on how to safely adopt AI at your organization includes:

  • Ensure you follow available formal guidance for using AI tools
  • Maintain accuracy with AI by mitigating hallucinations, transcription errors, etc.
  • Ensure you have formal policies tailored to using AI before adopting it
  • Privacy impact assessments are critical for each AI tool you are considering using

Vendor management is another important part of staying cyber secure with AI. Hibbitt highlighted several key points:

  • Vendors are not authorized to use health data for secondary purposes like AI training
  • Health information should be destroyed by vendors when the contract ends
  • Consider adding a clause to contracts prohibiting the use of unapproved technology

Jason Marilla from Ridge Canada then talked about how to stop cyber threats early by identifying vulnerabilities. Marilla explained how to use his KPR Method to analyze your incident response plans.

  • Know your current security posture – your ability to detect and contain cyber threats
    • Keep living lists of your assets, risks, and liabilities
  • Protect your assets – identify which ones to focus on and why
    • Segment sensitive systems to a separate secure network
    • Maintain at least one offline backup and test restoration monthly
  • Respond to a threat – are you prepared to identify and handle a cyberattack
    • Isolate affected systems and collect evidence
    • Change and rotate admin credentials
    • Shut down risky VPN profiles without secondary authentication

Managing cyber security internally

Finally, Melanie De Wit, VP, Legal, Risk and Strategy, at Unity Health Toronto discussed many valuable tips for organizations to stay cyber secure. 

To improve cyber compliance, “Cyber security risk should be viewed as a patient safety risk,” de Wit emphasized.

Melanie appears onscreen with a HIROC employee at the end of her session

Simulations are important tools and should be done regularly: de Wit recommends doing phishing ones at least quarterly and multidisciplinary tabletop exercises with a cyber aspect annually.

De Wit also listed several key areas of focus to boost your cyber security:

  • Enable multifactor authentication (MFA)
  • Keep your IT systems patched and updated
  • Maintain backups – how often are they done and how long will it take to get back up and running
  • Manage mobile devices
  • Use role-based access controls
  • Manage data – what leaves the organization, is it encrypted, minimize amount of data that needs to travel or is used for AI analysis

As cyber threats continue to get more sophisticated and more common, being prepared is critical, and we hope these tips will help you boost your readiness in the event of a cyberattack.

Resources

Thank you to all our staff, speakers and attendees for your participation. If you attended this cyber forum, you have exclusive access to re-watch all the sessions on the RingCentral platform for 90 days after the event date.

If you have any questions about your cyber coverage, reach out to us at [email protected].

And if you have any stories or learnings from a cyber incident, let us know at [email protected], so we can share them and scale lessons learned across the healthcare system.

HIROC has more informative cyber events planned for next year, so stay tuned for updates!


By Gillian Brandon-Hart, Communications and Marketing Specialist, HIROC