Readers Write: Don’t Skip the Digital Wash: 3 Cyber Hygiene Tips for Healthcare Security

Don’t Skip the Digital Wash: 3 Cyber Hygiene Tips for Healthcare Security
By Greg Surla

Greg Surla is SVP/CISO of FinThrive. 

In 2023, healthcare systems faced an alarming surge in cyberattacks, impacting over 100 million people across the US, according to The HIPAA Journal. This troubling trend continued into 2024, emphasizing the urgent need for advanced cybersecurity measures in healthcare.

With the rise of sophisticated ransomware attacks, such as those from BlackCat, and the increasing availability of ransomware-as-a-service, healthcare organizations must remain focused on cyber hygiene practices.

Cyber hygiene refers to the routine practices that are necessary to protect information systems and sensitive data. For healthcare organizations, effective cyber hygiene is particularly challenging due to factors such as outdated technology, stringent HIPAA regulations, and rapidly evolving cyber threats. Key cyber hygiene practices — regular credential rotation, MFA, and effective vulnerability management — are essential for mitigating the risk of breaches and ensuring regulatory compliance.

This article explores three essential cyber hygiene procedures for shielding healthcare data: credential rotation, multi-factor authentication (MFA), and vulnerability management.

Regular Credential Rotation

Regular credential rotation is a fundamental security practice that involves frequently updating passwords and access credentials. This process helps minimize the risk of unauthorized access, especially if credentials are compromised.

In healthcare settings, where multiple users with varying access levels are common, managing credential updates is a complex, but necessary, best practice.

• Develop a clear policy. Establish guidelines for how often credentials should be updated and assign responsibilities for managing this process.
• Use automation. Apply identity and access management (IAM) solutions to automate the credential rotation process and reduce manual effort.
• Educate and incentivize staff. Provide training on best practices for creating and managing secure credentials. Consider offering incentives for adherence to credential policies.
• Conduct regular audits. Regularly review and audit credential management practices to ensure compliance and identify areas for improvement.

Multi-Factor Authentication

MFA is a critical security measure that enhances protection by requiring multiple forms of verification beyond just a password. This additional layer of security is especially important in environments where unauthorized access to sensitive data has severe consequences.

• Select an integrated solution. Choose an MFA system that integrates well with existing infrastructure and is user-friendly.
• Deploy in phases. Start by deploying MFA in high-risk areas and gradually extend it across the organization.
• Train staff. Educate employees on the importance of MFA and provide thorough training on its use.
• Review practices. Periodically assess and update MFA practices to adapt to new security challenges.

Vulnerability Management

Vulnerability management involves identifying, assessing, and addressing security weaknesses within systems. Regular vulnerability management is crucial in healthcare.

This practice includes routine scanning, risk assessment, and timely patching to protect systems from potential breaches. Automated tools are available to frequently scan systems for vulnerabilities and rank risks based on their potential impact and the likelihood of exploitation. Look for emerging vulnerabilities and train staff to identify potential risks and deliver prompt resolution.

The most common attacks in healthcare attempt to exploit user accounts through social engineering methods such as phishing as well as brute-force types of attacks such as password spraying and credential stuffing.

By adopting the cyber hygiene practices list above, healthcare organizations can enhance their defenses against cyber threats, ensure compliance with regulatory requirements, and maintain the security of their systems. And as cyber threats continue to intensify, staying proactive and vigilant safeguards your organization’s sensitive healthcare information, preserving trust in the healthcare system.