I’m not lying when I say that hospitals invest a tremendous amount of time, money and resources into keeping themselves secure and HIPAA compliant. No lie. Almost every hospital that I’ve run a network assessment, I’ve reviewed HIPAA compliance audits coming back with relatively minor issues (if any). A near clean bill of health pops of nearly every time.
But what nearly every administrator I’ve talked to thinks after getting back a pass from their HIPAA audit? They’re safe. They’re taking all of the necessary steps to keep their networks secure. Their patient records are in good hands. BUT having gone through the rigors of a HIPAA audit doesn’t necessarily mean that your hospital is safe.
I know this is hard to hear. And certainly, I understand if you want to stop reading what I have to say. But I encourage you to take a few minutes and let me lay out my case for why you might want to take your HIPAA audit results with a grain of salt when it comes to cybersecurity.
Let me clarify what I mean with an analogy.
When someone is involved in a car accident, and is asked what happened, the most often response would be “I just didn’t see that car coming”. I’m sure many of us that have experienced even minor fender benders will share this experience. Just didn’t see it—whether another vehicle or a fire hydrant. Obviously had you seen what you had just hit, by all means you’d have avoided it!
How does a car accident relate to your hospital cybersecurity?
We all are good at reacting to the things that we can easily see. Whether in a car or cybersecurity that is laid out by the government, most often we are able to see the things right in front of us because we can see and understand what we’re doing.
But what most administrators forget about are all the things that they don’t know about or that have changed since HIPAA requirements were originally instated. What the majority of hospitals (but certainly critical access and rural hospitals) overlook are the points that can certainly get you into a serious accident.
How many times have you said, “Wow, I did not see that coming!”? I’m sure if you think about it a little, you’ll come up with several things. And I’m not just talking about security here.
We’re all prone to see things that we’re familiar with. You’re familiar with things that you’ve grown accustomed to seeing. But what we don’t understand is what’s out of our vision. What’s outside of our frame of view. This is when problems arise.
With cybersecurity, new attack vectors or schemes and scams pop up unexpectedly and we’re sometimes taken off guard. In essence, we’re unaware of what we don’t know—the stuff that we haven’t yet eliminated. We’re essentially seeing only part of the picture.
With healthcare cybersecurity, one of our biggest goals is to be looking from many angles, to help avoid missing problems with security that would have been caught had we been looking at the bigger picture. Most of the largest breaches and biggest cybersecurity incidents stem from awareness and the unknowns.
How can your hospital reduce the chances that they will get a ransomware assessment?
Realize that there are blind spots—no matter whether you’re large or small or have passed your HIPAA audit with flying colors or are told by your IT guy that everything is set and you have nothing to worry about, the truth of the matter is if you’re complacent, you’re likely missing something. Coming to terms that you have risks even though you’re told your HIPAA security is clean will go leaps and bounds to avoiding being the victim of the next ransomware attack.
Hire a team that is eager to learn—one of the biggest flaws in many IT support teams in hospitals is that they are overconfident that your network is protected. Overconfidence in the security world is almost always associated with vulnerability. The problem with overconfidence is that it often leads to carelessness and neglect. We overlook our challenges and simply think everything is working great. One of the biggest ways organizations fall to cyberattacks is by thinking that they’re doing enough and nothing could ever happen to them. Because the reality is that they too are a target. The question is: how big of a target are they. If your team is eager and ready to learn—learn from their mistakes, other’s mistakes and learn what’s new in security and technology, you’ll assuredly have a team that’s best preparing you for future attacks.
Understand the landscape—many hospital IT support teams fail to stay connected in the cybersecurity community. They aren’t a part of organizations, don’t have strong relationships with third-party security vendors and little by little lose sight of where the landscape is. If they’re keeping their heads down—working hard on your computer systems—they may very well be forgetting to engage in the broader community at large. By leveraging relationships and keeping informed as to what has been happening in health security and security in general, good support teams are able to incorporate new insights into how your hospital is protected.
Realize that you’re not always going to be right the first time—it’s hard for many to come to terms with a solution not working the way they want it. Often when it comes to getting security right, your first idea isn’t the one that’s going to keep your data secure. It often takes mulling over problems from a variety of perspectives before a clear best approach or strategy reveals itself.
We all have a hard time seeing our blind spots. But the easiest way to make those spots—those vulnerabilities in your network—smaller is by getting a different perspective. Are you certain that your hospital is safe from ransomware? Consider a free ransomware vulnerability assessment to settle your nerves.
