Small and rural hospitals face big challenges on many fronts, and improving their cybersecurity is of particular concern. Already in precarious financial circumstances for many years, these understaffed and under-resourced facilities face cost pressures that prevent the sort of spending that would keep pace with the threat.
Basic cyber hygiene tactics such as email security, multi-factor authentication and vulnerability scanning are beyond some hospitals’ means, according to Microsoft’s recent whitepaper on rural hospital cybersecurity, released earlier this month.
While Microsoft sees more collaboration to enhance rural hospital cyber resilience through sustained public-private partnerships, it found that most rural hospitals are susceptible to social engineering attacks because they do not have comprehensive training and awareness programs. Also, they often neglect patching.
But another cybersecurity expert, Bridget O’Connor, chief operating officer of Fortalice Solutions, sees room for optimism when it comes to identity management, MFA and network segmentation – and says small hospitals can do a lot more to bolster their resilience, with their own existing resources, than they might realize.
O’Connor, who served the White House from 2002 to 2009, eventually becoming Special Assistant to the President for White House Management, said a zero trust approach is no longer optional in healthcare.
“Cybersecurity is something that every organization can improve on,” she tells Healthcare IT News. Even if they’ve made mistakes in the past, she says, technology leaders can move beyond a culture of fear and take action with minimal investment.
We spoke with O’Connor recently, who offered some guidance for rural hospitals looking to improve their cybersecurity now.
Q. What do small and rural hospitals face in finding and retaining IT talent?
A. There are many reasons rural and small hospitals cannot find and retain IT talents, such as the geographic isolation resulting in a shortage of qualified candidates in the area, low and limited budget salary compensation and lack of career advancement opportunities for growing professionals, are also plausible reasons.
Q. Many rural hospitals are forced to close because revenue falls below the costs of delivering care. How can they best invest in cybersecurity to protect themselves in today’s threat environment?
A. I highly encourage all organizations to use the Zero Trust security framework. This framework is suitable for all types of organizations because the basic security principles apply and can be implemented.
First, assess the organization’s outlook on security and how they work with security systems. Then, make a list of all devices and users who use the Wi-Fi networks or systems. By having this knowledge, organizations are already halfway towards improving their security.
Next, implement systems like MFA to help protect accessibility for staff, which is helpful toward safeguarding data. Lastly, continue to monitor these items, and it will improve the organization’s cybersecurity.
Q. How can rural hospitals prepare now to improve their cybersecurity posture?
A. The first area of focus for improving cybersecurity is to identify where there are vulnerabilities and threats in the systems.
Remember to update outdated software and networks that may be unsecured. Next, people within the organization are what help prevent cybersecurity attacks, so make sure all employees are constantly trained in security awareness, including phishing or password security.
Systems such as MFA are highly recommended to reduce unauthorized access. Another thing organizations can do is to back up data both on-site and off-site so that data loss is prevented from future cybersecurity attacks or threats.
Lastly, partnering or seeking funding from organizations such as Managed Security Service Providers, the U.S. Cybersecurity and Infrastructure Security Agency and the Department of Health and Human Services can greatly increase an organization’s cybersecurity efforts.
Q. What tips can you offer rural healthcare leaders in their journeys to zero trust?
A. The best approach to the Zero Trust strategy for healthcare leaders is to start with identity and access management by enforcing MFA for all employees, especially those who have access to electronic health records and administrative systems.
For even more data protection, hospitals can have least-privilege access for only staff to access the data and systems necessary for their roles. Another significant step is separating critical hospital systems or segments and securing networks for medical devices and patient records from guest Wi-Fi and administrative networks.
Lastly, having a rigid data protection strategy means encrypting sensitive patient and hospital data in transit and at rest while maintaining secure, off-site backups that can be restored quickly after a cyber breach.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS Media publication.