Beyond the Basics: Steps to Strengthen Your Cybersecurity

It seems like it happens nearly every day – either you see a news report about a security data breach or you get an email that your password to one of your personal accounts has been compromised. And, it’s not just you. Healthcare is now being more aggressively targeted, and radiology – with its mounds of personal imaging and clinical data – must take steps to protect itself.

In an article published this month in the Journal of the American College of Radiology, industry experts from Michigan took a look at the most effective steps and go beyond the basics to help you and your department or practice better shield yourself from malicious attacks.

“A successful attack can have a significant negative clinical, monetary, regulatory, and public perception impact to practices,” said Rich Wunsch and Andrew K. Moriarty, M.D. “Healthcare has lagged other industries in funding cybersecurity programs and, coupled with a reliance on older technologies and the critical nature of healthcare, has motivated attackers to focus attacks on the industry.”

Wunsch is the director of IT infrastructure for Advanced Radiology Services in Michigan, and Moriarty is vice president of clinical operations and quality committee chair at Advanced Radiology Services, as well as assistant professor of radiology and biomedical imaging at Michigan State University.

The most effective defense, they said, is treating your cybersecurity efforts like pest control. Both internal and external measures are critical. At a minimum, they said, put these basics in place:

• Password policy: Use pass phrases with at least 15 characters to make them harder to guess, but easier to remember.
• Multi-factor authentication: Use a strong password policy alongside other authentication measures, such as physical tokens, telephone applications, or text messaging.
• Security training: Implement a strong user awareness training program.
• Patching: Keep your security patches for all software in the organization up-to-date.
• Firewall: Put a firewall in place that both blocks outside attacks and protects your users from visiting malicious sites.
• Email protection: Put security controls in place that filter out malicious emails.
• Workstation/server protection: Opt for anti-virus products that both searches for viruses and targets malicious behavior.
• Intelligence sources: Partner with FBI InfraGard which has a healthcare-targeted group called Cyber Health Working Group.
• Get a security partner: Identify a strong security partner who can offer resources, perspectives, and personnel to strengthen your security program, and conduct penetration tests regularly to identify weaknesses.
• Data back-ups: Routinely back-up data to protect yourself against ransomware attacks.

Once these measures are in place, take it to the next level, they said. Consider these more advanced tactics:

• Build an internal or outsourced security network for your organization and monitor it for signs of compromise.
• Vendor security audits
• End-to-end data encryption
• Build an incident response plan and disaster recovery plan
• Automate workstations and servers to ensure consistent configuration and security settings
• Find and purchase comprehensive cyber insurance to cover additional risk
• Conduct regular penetration tests
• Implement a vulnerability scanner to scan the network for vulnerabilities

But, before you get started, Wunsch and Moriarty said, be sure you have fully assessed your current security situation and have all the appropriate stakeholders on board for making any changes.

Get Support from the Top: Your cybersecurity efforts will be most effective if you have buy-in from leadership, they said. Define your security program objectives, and be sure it aligns with your business objectives. Outline the steps you need to achieve the goals and what you need to make those measures happen.

“Without the support of leadership and senior management, success will be an elusive target,” they said. “The leadership and cybersecurity teams must work together to define a security program strategy that is aligned with the overall business strategy and expectations.”

Assess your situation: Take a full inventory of the software and hardware you have available – even the products that are old or are not currently being used. Be sure to catch any software that needs patches as this can be a blind spot for your organization.

“This is the low-hanging fruit attackers look for,” they said, “learning more about your environment that you even know.”

Taking the time to evaluate your current security measures and putting new strategies in place can help save your organization from the stress and harm that comes with cybersecurity attacks, they said.

“Although it takes time and dedication, building a solid security practice not only greatly reduces risk to the organization but will also build the confidence of current and future customers who are trusting your organization to protect their vulnerable data,” they said.

For more coverage based on industry expert insights and research, subscribe to the Diagnostic Imaging e-Newsletter here.