Seven Things Healthcare Organizations Should be Doing to Improve Their Security Initiatives

Nov 18, 2020

Seven Things Healthcare Organizations Should be Doing to Improve Their Security Initiatives Image

Healthcare organizations have been a notoriously soft target for cyberattacks, and now amid the COVID-19 pandemic, they have a massive target on their backs. As a result, it is essential now more than ever for healthcare companies to address and plan for cyberattacks. While this can be a tall task due to the many devices on their networks and the need to share information across these devices, there are ways to mitigate this risk. Steve Zurier, security and IT journalist with Dark Reading, suggests healthcare companies should be doing these seven things to reduce and manage cybersecurity risks:

1 – Educate yourselves

A company’s first line of defense against cyberattacks are their employees. Addressing employee cyber education is essential in teaching employees to practice good cyber hygiene, such as creating strong passwords and backing up personal data. Training employees to identify phishing emails and maintaining this training by running phishing simulations is also essential in preparing employees to deal with cyber threats.

2 – Educate your patients

While patients may be more challenging to control when it comes to cybersecurity, there are still ways in which healthcare companies can mitigate risks in this area. Providing basic education to patients through face-to-face interactions, flyers, and constant reminders are easy ways to reduce risk amongst this group.

3 – Perform risk-based patching

It should go without saying that patching systems are a necessary step when building your defenses against cyber threats. Risk-based patching is an effective way to balance security while taking into account your business needs. By applying risk-based patching can use resources more effectively and avoid wasting resources on fixing non-relevant vulnerabilities.

4 – Prepare for incidents

Creating plans for the aftermath of a cyberattack helps to mitigate damages when they occur. Creating a plan is not enough; however, it’s crucial to have employees understand the strategy and carry it out before using it in a real-time event. Running simulations and ensuring these plans’ effectiveness will ensure they are carried out in a swift and orderly manner.

5 – Ensure backups are in place

While backups don’t prevent criminals from exposing data in a ransomware attack, having up to date backups gives healthcare companies more leverage when dealing with cybercriminals. More importantly, having these backups helps businesses get back up and running promptly. Testing these backups is vital in ensuring their effectiveness.

6 – Implement least-privilege (especially for admin accounts)

Enforcing access zones within a company makes it more difficult for ransomware to spread to other systems. Giving employees just enough access as required to do their job effectively helps create effective access zones. Organizations should implement access request and approval workflows to capture who approved access and the context associated with the request.

7 – Consider security as part of IoT deployment

As IoT technology becomes more prominent in the medical field, it is ever so important that companies purchase hardware with security in mind. These devices can be notorious for having insufficient security measures in place and can be a soft target. Recommending products with proper security measures in place can help to mitigate this risk.

Cyberattacks have become a problem for the healthcare industry in general; it doesn’t have to be. Putting a plan into place and following through with it can ease the minds of those within an organization. While risk is stacked against healthcare companies due to the number of devices on their networks and the nature in which data moves between them, these seven steps can immensely improve security on a healthcare company’s network.

About Secuvant:

Located in Salt Lake City, Utah, Secuvant is a global leader in integrated cyber threat analytics and risk advisory services, built on a value system of client focus, integrity, accountability, execution, and teamwork. Secuvant’s mission is to provide clients with a Clear Path Forward in their pursuit of establishing an acceptable security risk posture. Secuvant’s success is built upon strict adherence to its values, a functioning world-class advisory board, the unique combination of cybersecurity expertise and industry / vertical specialization, and a team of experts that repeatedly deliver best-in-class managed and advisory cybersecurity and risk services. Secuvant understands Cyber Risk is Business Risk™ and uses methodologies and metrics aimed at minimizing business risk. Services include, but are not limited to, Security Gap and Risk Assessments, Risk Program Management, Executive and Board Cyber Advisory, Penetration Testing, Security Monitoring, Managed Detection and Response and Incident Response services. To learn more, visit