MedCity Influencers, Health IT

3 Keys to Better Cybersecurity

As companies review their processes, below are three approaches they can keep top of mind — namely, increasing employee training and utilizing technology as safeguards, making a point to learn and change processes following attacks, and prioritizing vetting partners’ security.

Data breach, cybersecurity, hacking,

In an industry entrusted with valuable personal health information, healthcare organizations have long worked to stay ahead of cybersecurity threats. But as these threats accelerate and evolve, healthcare organizations and companies need to take new approaches to not only protect that data and their reputations, but also safeguard patient care.

Recent data from the Verizon Data Breach Investigations Report shows that ransomware attacks saw a steep increase in 2021 — nearly 13% compared to the prior year and a jump that almost equaled the last five years combined. This is especially concerning for the healthcare sector as we know our industry has a higher risk of breaches.

As companies review their processes, below are three approaches they can keep top of mind — namely, increasing employee training and utilizing technology as safeguards, making a point to learn and change processes following attacks, and prioritizing vetting partners’ security.

Training combined with technology

We know that humans continue to be heavily involved in data breaches and incidents: 82% of breaches in 2021 involved a human element, including social attacks, errors and misuse, according to Verizon’s report.

The good news is that humans also can be the first line of defense against these attacks. So, it’s important that healthcare providers at all levels — from frontline workers to group owners —understand cybersecurity. Thinking through how we employ that defense also is especially important in healthcare where we have vast stores of highly sensitive personal health information. To prevent breaches, we need to speed up our response times and create different protections than often are currently in place.

However, training employees isn’t always sufficient to combat today’s increasingly sophisticated attacks. Our systems need to have triggers that can help flag threats that come through — allowing product teams the chance to pivot and quickly implement security measures. These simple triggers already prevent thousands of phishing emails from hitting our inboxes every day, and they work.

Three R’s: Response, recovery and reflection

Cyberattacks are never ending. As soon as we learn how to remediate from one attack, there are hundreds more waiting to strike. It’s not a question of if you’ll be attacked again, but when.

Security teams spend much of their time preventing attacks. When they do catch an attack, they focus on detecting what it is, responding to it and recovering from it.

But companies often don’t spend enough time on reflection. Instead of hoping that a similar attack won’t happen again, security teams should thoroughly analyze why and how the attack occurred and use those insights to change our processes.

Teams also should regularly train for cyberattacks using tabletop sessions where they can test out new processes that are informed by their analysis of prior attacks. To increase the effectiveness of these sessions, companies should use an external moderator. These moderators can bring an outside point of view as they are unfamiliar with how the company typically handles attacks. While using a moderator from within the company might be easier, their familiarity will reduce the tension — leading to a less realistic simulation and a less effective learning experience.

Strong partner security

Healthcare providers often use strategic partnerships to provide customers with more offerings as part of their benefits package. While this can be invauable to customers — expanding the breadth and depth of services available — companies must consider security before partnering.

It’s extremely important that we vet these partners intensely as they will have access to customers’ personal health information. We need to understand the full picture of their security. How have they responded to past breaches? What solutions have they implemented? And what challenges are they preparing for in the future?

Our security team needs to believe that their system and offerings are in the best interest of our customers. Ultimately, it should stand the ultimate test: Would we be willing to use their system and offerings to protect our own data?

Photo: JuSun, Getty Images

Avatar photo

Kelli Burns serves as SVP, chief information security officer at Accolade. She leads a team of information security professionals supporting Accolade's vision to create and maintain a best-in-class information security and privacy posture supporting growth and maintaining the trust of customers and members. Before joining Accolade, Burns held multiple positions at Symetra Financial including CISO. During this time, she was pivotal in building out the cybersecurity program and enabling the business to make decisions swiftly while protecting the data of customers and employees. Expanding her leadership role beyond her technical capabilities, Burns was the founding leader and executive sponsor for Symetra’s Diversity and Inclusion Council and developed their IT Emerging Leaders enterprise program. She is well-regarded in the Seattle community for mentoring women in cybersecurity and technology. Burns holds a B.S. in Management Information Systems from the University of Montana and is currently pursuing her MBA from Penn State University. 

This post appears through the MedCity Influencers program. Anyone can publish their perspective on business and innovation in healthcare on MedCity News through MedCity Influencers. Click here to find out how.