Cybersecurity Strategies to Combat Cybercriminal Activities
Written By Chad Schiffman at Healthcare Compliance Pros
The Exponential Growth of Cyber Threats
Cybersecurity has been a hot topic lately and is frequently in the news by our government and various other high-profile organizations. Cybercriminal activity is predicted to be at an all-time high and to cost the world over $6 trillion this year. In a recent statement by President Biden, he stressed the importance of improving our domestic cybersecurity and bolstering our national resilience. In addition, he mentioned the majority of America's critical infrastructure is owned and operated by the private sector. This included the healthcare industry - an industry that had been a constant target for cybercriminals.
Protecting Against Cyberattacks
In a related publication titled, Act Now to Protect Against Potential Cyberattacks, organizations are encouraged to execute several steps with urgency:
- Mandate the use of multi-factor authentication on your systems to make it harder for attackers to get onto your system;
- Deploy modern security tools on your computers and devices to continuously look for and mitigate threats;
- Check with your cybersecurity professionals to make sure that your systems are patched and protected against all known vulnerabilities, and change passwords across your networks so that previously stolen credentials are useless to malicious actors;
- Back up your data and ensure you have offline backups beyond the reach of malicious actors;
- Run exercises and drill your emergency plans so that you are prepared to respond quickly to minimize the impact of any attack;
- Encrypt your data so it cannot be used if it is stolen;
- Educate your employees to common tactics that attackers will use over email or through websites, and encourage them to report if their computers or phones have shown unusual behavior, such as unusual crashes or operating very slowly; and
- Engage proactively with your local FBI field office or CISA Regional Office to establish relationships in advance of any cyber incidents.
Building a Plan to Prepare Your Workforce
Your organization's cybersecurity strategies to combat cybercriminal activities start with cybersecurity awareness. Cybersecurity awareness is important for everyone in a healthcare organization. Employees must know what's expected of them and the ramifications of non-compliance. This is part of "due care" and is especially helpful in the event of a liability case.
Cybersecurity awareness can be completed with online training, employee handbooks, posters, and other training aids. And at a minimum, initial and annual refresher training should occur - however, ongoing training/reminders are preferred, especially because cybersecurity threats are a constant.
Cybersecurity awareness training should teach employees about the most common and pertinent cyber threats. The most common way for bad actors to infiltrate an organization is through the workforce with tactics such as email phishing. In addition to phishing, ransomware, loss or theft of equipment, insider, accidental, or intentional data loss are common threats that can be mitigated with cybersecurity awareness training.
The U.S. Department of Health and Human Services (HHS) recommends the following steps:
- Train staff to recognize email phishing techniques - employees should be aware of suspicious email addresses with urgent prompts and "too good to be true" messages. Anti-phishing campaigns with real-time training such as "take the bait" exercises are a good idea.
- Educate employees on the risks of insider
threats - employees
should understand the security risks and the consequences of falling victim to
an insider attack. Employees should understand how to report suspicious or malicious
activity. Malicious activity should be investigated and logged by your organization's
- Keep training constant to deal with the short
shelf life of learning and development needs - this means providing effective and relevant training for
your employees that offer continuous and ongoing campaigns to maintain
awareness of current trends, issues, and events. The healthcare industry is constantly
under attack from hackers that try to steal valuable Personally Identifiable
Information (PII) and Protected Health Information (PHI). Training must be
relatable to threats that affect their work environment every day to arm your
employees with actionable steps that will apply to the current threats.
- Train employees on password protection
procedures - Regularly
remind users that they must never share their passwords. Require each user to
create an account password that is different from the ones used for personal
internet or email access (e.g., Gmail, Instagram, Facebook). Remind them never
to write their password down on paper where others in the office may have
access to it.
Recommendations for Cybersecurity Best Practices
Cyber threats are constantly changing, and the threat to healthcare offices and organizations is real!
For more detailed information on "Cybersecurity Compliance," view the educational compliance webinar available on-demand (designed by our team of compliance advisors):
📽️ Watch Again: Replay the recording for "The Cybersecurity Webinar: How to Be Cyber Aware and Practice Safe User Habits" (05/03/2022), if you would prefer an audio learning style; or
📄 Check out PDF copy: Download your copy of all the Cybersecurity Webinar Slides (PDF), especially if you learn better from a printable version.
Webinar replay: Healthcare compliance experts on Cybersecurity - Watch the Zoom webinar here.