Alright, folks, let’s talk about something that keeps me up at night. It’s healthcare cyberattacks. As someone knee-deep in operational finance for years, I’ve seen firsthand how these digital disasters can wreak havoc on an organization’s top line, bottom line, and especially patient experience and quality of care.
Throughout my career, I’ve picked up a thing or two about keeping the bad guys from damaging our systems. So, let’s dive into this area.
First things first: If you think your organization needs to be larger, more prominent, or more significant to be a target, think again. Hackers don’t discriminate – they’re equal-opportunity criminals. I’ve seen individual clinics, massive hospital networks, and everything in between get hit by cyber-attacks. It’s crucial to be aware that every organization, especially healthcare organizations, is susceptible to this crime. Below are some helpful considerations for your healthcare organization.
- Train Your People (Yes, All of Them)
Training sessions, especially on compliance and IT related matters can often be looked at as a check-the-box activity by some people. But here’s the kicker—your staff is your first line of defense, and I’m not just talking about the IT folks. There are countless points of entry into your organization from every staff member in your organization.
Everyone needs to know the basics of cybersecurity, from the surgeons to the janitors. Phishing emails, suspicious links, weird attachments – your team should be able to spot these like I can spot a budget variance. Every staff member needs to be aware of this vulnerability and to remain vigilant at all times. Staff should never download software onto their computer without the assistance of their IT department. Accounts payable should be ever cautious of new vendors and invoices without approvals from the person who procured the products or services. Staff members should always voice verify any requests for the transfer of money with the person of authority requesting the transfer.
- Update, Patch, Repeat
Software updates can be time consuming and disruptive and they always seem to happen at the most inopportune time. They always appear when you’re in the middle of something important. But let me tell you, they’re like vaccines for your system. Make sure that updates are run regularly and all systems are updated.
Make sure you’ve got a solid patch management process in place.
- Backup Like Your Life Depends On It (Because It Might)
Here’s a nightmare scenario: ransomware hits, and you realize your last backup was from 2019. Ouch.
Regular backups are non-negotiable. And I’m not talking about a dusty old hard drive in the CEO’s desk drawer. I mean robust, frequent, tested backups. Store them offsite, offline, and out of reach of potential attackers.
- Access Control (Or: Not Everyone Needs the Keys to the Kingdom)
This one’s pretty straightforward, but you’d be surprised how often it’s overlooked. Only some people in your organization need access to everything.
Implement strong access controls and multi-factor authentication.
- Hire the Experts (Because You Can’t Do It All)
I’m all for saving a buck, but cybersecurity is not where to pinch pennies. Bring in the experts, get a security assessment done, and have them poke holes in your system before the bad guys do.
Another great place to start is by reviewing your company’s cyber risk insurance policy. Look for those questions that your company answered affirmatively that you sufficiently address the risk outlined in your policy. Next, look at the answers where your company is not currently able to affirmatively assert that you sufficiently address the risk. Start with those. Pick them off one at a time until they are all addressed.
This is one area where diverse input into the solution will drive the best results for your company. I’m talking about people from different backgrounds, experiences, and departments. Trust me, when trying to outsmart these hacker types, you need all the brainpower you can get.
This cybersecurity stuff isn’t something you can just set and forget. It’s a constant reality and always needs updates and checks. Your company needs to stay one step ahead of the criminals looking to do damage to your company.
But here’s the kicker – we’re not just protecting ones and zeros here. We’re protecting real people, our patients. Every time some digital lowlife criminal breaks in, it’s not just data at risk – it’s lives.
Trust me, treating this area as the highest priority is crucial to your organization. This isn’t just some IT headache anymore – it’s everyone’s problem now.