The Healthcare Symposium is a uniquely rewarding gathering of healthcare leaders from across the industry who have a diverse spectrum of backgrounds ranging from finance to clinical operations. After a two-year hiatus from the event due to the pandemic, the focal point of the 2022 Symposium was breaking free of the COVID-19 mindset and moving forward confidently into a new age of healthcare. This included a segment on the increasing rise in cybersecurity threats facing the healthcare industry.
Forvis Mazars has a unique, three-pronged approach to cybersecurity spearheaded by advisory, compliance, and assessments elements. Advisory focuses on helping you build and maintain an effective cybersecurity program through thoughtful, scalable, and tailored approaches. The compliance aspect encompasses Forvis Mazars’ experience with cybersecurity industry standards, frameworks, and regulations. Finally, as cybercriminals increase efforts to exploit vulnerable organizations, Forvis Mazars is working toward helping organizations reduce the risk of high-profile and devastating data breaches by conducting frequent assessments.
A new era of healthcare has ushered in an overabundance of cybersecurity threats that are compromising organizations with devastating effects. According to the IBM Security Cost of a Data Breach Report for 20211, the average time to identify and contain a security breach in the U.S. is 287 days. That same report tells us that users are the biggest risk to companies, with 60% of breaches caused by internal employees. Business email compromises, phishing, and social engineering ranked as the three most costly forms of internal data breaches.
Listening to our clients and their stories proves to us that no matter how secure a system, an impenetrable organization does not exist. There are preventative measures businesses can take to deter security breaches, but an organization is only as secure as its least protected member. Multifactor authentication is a simple but surprisingly effective deterrent for data breaches that should be utilized by all employees.
Looking toward the future, managers and employees alike must be aware of the information they provide as well as engage in risk assessments on a daily basis. In addition to daily obligations, laws pertaining to sensitive information such as HIPAA—a national standard developed to protect individuals’ personal health information—need to be adhered to around the clock by all staff. To better support HIPAA security standards and data protection requirements, the U.S. Department of Health and Human Services created the Health Industry Cybersecurity Practices (HICP), Managing Threats and Protecting Patients document.2
Two technical volumes are provided with HICP: “Technical Volume 1: Cybersecurity Practices for Small Organizations” and “Technical Volume 2: Cybersecurity Practices for Medium and Large Organizations.” One important aspect of the Technical Volumes is aiding management in addressing 10 effective cybersecurity practices as selected by the CSA 405(d) Task Group. These practices are designed to help mitigate current threats.3 As an example, the 10 practices for a medium organization include:
- E-mail protection systems – this includes system configuration standards, education and phishing simulation, and multifactor authentication.
- Endpoint protection systems – basic endpoint security standards to help monitor devices such as desktops, laptops, mobile phones, and tablets for suspicious or unusual activities that could indicate a cyberattack.
- Access management – basic access management to help guide permissions and access levels to files, systems, and services with the goal of maintaining least privilege. This will also include provisioning, transfers, and de-provisioning policies and procedures.
- Data protection and loss prevention – policies and procedures relating to data classification, loss prevention, backup procedures, and overall data security.
- Asset management – life cycle standards including inventory control, procurement, decommissioning, and secure storage requirements for inactive devices.
- Network management – the process of administering and managing network infrastructure including firewalls and intrusion detection devices as well as segmentation practices.
- Vulnerability management – the process of identifying, evaluating, correcting, and reporting on security vulnerabilities. This will include patch management and web application testing.4
- Incident response – policies and procedures needed to identify, analyze, and respond to incidents, as well as how to utilize information sharing organizations.
- Medical device security – the tools and practices that prevent attackers from gaining unauthorized access to or control over medical devices and the data they generate. This will include endpoint protection standards and asset and network management.5
- Cybersecurity policies – policies that define and document an organization's statement of intent, principles, and approaches to ensure effective management of cybersecurity risks in pursuit of its strategic objectives.
The recent pandemic has introduced a multitude of unique problems for healthcare, including cybersecurity threats. While reaction times to these threats have improved, it is necessary that organizations take preventative measures to avoid the spread of threats before they begin.
The new age of cybersecurity demands that organizations put in place more than just preventative measures. New threats require innovative strategies, and clients need to understand that response time is equally as crucial as prevention. Our three-pronged approach to cybersecurity provides clients with protection before, during, and after a threat is exposed.
At Forvis Mazars, our cybersecurity professionals are making strides to adopt modern technologies and effective IT governance as well as risk and compliance programs to better serve our clients and properly maintain the security of both internal and external stakeholders.
Reach out to a professional at Forvis Mazars or submit the Contact Us form below if you have questions.