In recent years, cyberattacks have become increasingly common and hospitals have become a prime target for hackers. On Thanksgiving Day, two New Jersey hospitals owned by Ardent Health Services experienced a cyberattack. As a result, Mountainside Medical Center in Montclair and Pascack Valley Medical Center were forced to shut down their emergency rooms for at least 24 hours. The ransomware attack affected 30 hospitals and over 200 healthcare sites in six states.
Hospitals are often targeted by hackers for various reasons. Hospitals rely heavily on technology and any disruption to their systems can be potentially life-threatening. Moreover, hospitals hold a vast amount of confidential patient information, including medical records, personal details, and financial information. Hospitals need to prioritize cybersecurity and invest in the necessary measures to protect their systems and patients’ privacy. Failure to do so not only puts patients at risk but can also damage the reputation of the hospital and lead to costly data breaches. With emerging technology, cybersecurity has never been more crucial.
To minimize your hospital’s chance of being affected by a cyberattack, you must follow all of these crucial precautions:
|
Inventory and Control of Enterprise Assets |
Establish and maintain an accurate, detailed, and up-to-date inventory of all enterprise assets with the potential to store or process data, to include: end-user devices (including portable and mobile), network devices, non-computing/IoT devices, and servers. Ensure the inventory records the network address (if static), hardware address, machine name, data asset owner, department for each asset, and whether the asset has been approved to connect to the network. For mobile end-user devices, MDM type tools can support this process, where appropriate. This inventory includes assets connected to the infrastructure physically, virtually, remotely, and those within cloud environments. Additionally, it includes assets that are regularly connected to the enterprise’s network infrastructure, even if they are not under control of the enterprise. Review and update the inventory of all enterprise assets bi-annually, or more frequently. |
|
Inventory and Control of Software Assets |
Establish and maintain a detailed inventory of all licensed software installed on enterprise assets. The software inventory must document the title, publisher, initial install/use date, and business purpose for each entry; where appropriate, include the Uniform Resource Locator (URL), app store(s), version(s), deployment mechanism, and decommission date. Review and update the software inventory bi-annually, or more frequently. |
|
Data Protection |
Establish and maintain a data management process. In the process, address data sensitivity, data owner, handling of data, data retention limits, and disposal requirements, based on sensitivity and retention standards for the enterprise. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Secure Configuration of Enterprise Assets and Software |
Establish and maintain a secure configuration process for enterprise assets (end-user devices, including portable and mobile; non-computing/IoT devices; and servers) and software (operating systems and applications). Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Account Management |
Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently. |
|
Access Control Management |
Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user. |
|
Continuous Vulnerability Management |
Establish and maintain a documented vulnerability management process for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Audit Log Management |
Establish and maintain an audit log management process that defines the enterprise’s logging requirements. At a minimum, address the collection, review, and retention of audit logs for enterprise assets. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Email and Web Browser Protections |
Ensure only fully supported browsers and email clients are allowed to execute in the enterprise, only using the latest version of browsers and email clients provided through the vendor. |
|
Malware Defenses |
Deploy and maintain anti-malware software on all enterprise assets. |
|
Data Recovery |
Establish and maintain a data recovery process. In the process, address the scope of data recovery activities, recovery prioritization, and the security of backup data. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Network Infrastructure Management |
Ensure network infrastructure is kept up-to-date. Example implementations include running the latest stable release of software and/or using currently supported network-as-a-service (NaaS) offerings. Review software versions monthly, or more frequently, to verify software support. |
|
Network Monitoring and Defense |
Centralize security event alerting across enterprise assets for log correlation and analysis. Best practice implementation requires the use of a SIEM, which includes vendor-defined event correlation alerts. A log analytics platform configured with security-relevant correlation alerts also satisfies this Safeguard. |
|
Security Awareness and Skills Training |
Establish and maintain a security awareness program. The purpose of a security awareness program is to educate the enterprise’s workforce on how to interact with enterprise assets and data in a secure manner. Conduct training at hire and, at a minimum, annually. Review and update content annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Service Provider Management |
Establish and maintain an inventory of service providers. The inventory is to list all known service providers, include classification(s), and designate an enterprise contact for each service provider. Review and update the inventory annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Application Software Security |
Establish and maintain a secure application development process. In the process, address such items as: secure application design standards, secure coding practices, developer training, vulnerability management, security of third-party code, and application security testing procedures. Review and update documentation annually, or when significant enterprise changes occur that could impact this Safeguard. |
|
Incident Response Management |
Designate one key person, and at least one backup, who will manage the enterprise’s incident handling process. Management personnel are responsible for the coordination and documentation of incident response and recovery efforts and can consist of employees internal to the enterprise, third-party vendors, or a hybrid approach. If using a third-party vendor, designate at least one person internal to the enterprise to oversee any third-party work. Review annually, or when significant enterprise changes occur that could impact this Safeguard. |
| Penetration Testing | Establish and maintain a penetration testing program appropriate to the size, complexity, and maturity of the enterprise. Penetration testing program characteristics include scope, such as network, web application, Application Programming Interface (API), hosted services, and physical premise controls; frequency; limitations, such as acceptable hours, and excluded attack types; point of contact information; remediation, such as how findings will be routed internally; and retrospective requirements. |
Cyberattacks are a real threat to hospitals and can cause significant damage. To protect your hospital, it is essential to take the necessary steps to ensure that your systems are secure, and your staff is trained in the best practices. By taking these steps, you can help prevent cyberattacks and protect your patients and their valuable data. To protect your hospital from a cyberattack, contact Aptimized to get a risk assessment.