Source: The New York Times
Though there’s currently no evidence that patient data was breached in last week’s massive cyber attack on UK hospitals, the news sent shock waves around the globe.
The ransomware used in the attack, known as “WanaCrypt0r 2.0” or “WannaCry,” disrupted health services and ambulance transports at several hospitals throughout England.
The 22 year old who inadvertently stopped the attack warned, “This is not over. The attackers will realise how we stopped it, they’ll change the code and then they’ll start again. Enable windows update, update and then reboot.”
Cyber attacks affecting healthcare organizations, governments, and private businesses are hardly news anymore, but the magnitude and rapid spread of last week’s incident propelled it to international headlines.
So how can organizations, particularly those in the healthcare sphere, prepare for these potentially devastating threats? Below are several approaches, which taken together, can form a layered security approach.
Educate employees on social engineering risks
Make sure that employees at your organization have knowledge on how to spot a potential phishing attack. Implement a system of periodic testing and identify those who need additional training. Many cyber attacks are based largely on social engineering — last week’s Google Docs attack being a prime example.
Back up data regularly
This aspect basically goes without saying, but tested and reliable backup systems must always be in place.
Develop a Risk Register
A Risk Register is a master document outlining potential risk exposures and mitigation strategies. Make sure executives and department heads understand the cyber risks that the organization faces. This knowledge shouldn’t be limited to a small group of individuals in the IT department.
Implement robust Response Plans
These need to include policies for Incident Response and disaster recovery. Also make it official policy to use data encryption and data segregation, sensible passwords, two-step verification, and regular security patch management.
IT Forensics
Engage with a firm that can subject your system to rigorous penetration testing.
Cyber Insurance
Cyber Liability insurance is an important line of defense to protect assets in the event of a breach or cyber attack. The policy will need to be custom tailored based on the industry, size of organization and several other factors. It also ideally will be reviewed by third-party professionals to ensure completeness of coverage.
Notification Laws
Understand and have a system in place to comply with all appropriate breach notification laws. Laws vary by jurisdiction, so this aspect will need to be cusomized as well.
Don’t pay ransomware
While many organizations have paid ransomware to get their files back, most sources advise against it. There’s no guarantee that you’ll ever see your data again even if you do cave to the hackers’ demands.
While no measures will guarantee 100% security, taking a proactive, evolving, and multi-faceted approach to cyber risk is a must these days for any large healthcare organization.
{{cta(’88d8c885-48d0-41ce-b2f1-3120bcfacebc’)}}
