2018 is here. While many of us are a couple of weeks into our New Year’s resolutions, some may have already broken them. Still more are waiting for “tomorrow” to start them. If you’re like me, depending on which resolution I am discussing, the answer will likely be different. Some resolutions remain the same as those I made in 2017, and some are filled with new ambitions. Regardless, the only way to keep things moving forward is to start.
The same dynamic applies to the fundamentals of cybersecurity. Perhaps your organization has made a resolution to focus on cybersecurity in 2018 and, if not, perhaps you should. Many healthcare organizations made progress in 2017 and some have yet to start their journey. In cybersecurity, the first step is to conduct a regular risk assessment. According to a survey completed by Black Book, over 50 percent of providers have not completed a regular risk assessment. This represents a huge opportunity for those organizations to materially shape the future of their cybersecurity posture. A regular risk assessment becomes an increasingly important step, as our adversaries have momentum, and breaches are happening more often than ever before.
Last year, the number of healthcare organizations impacted by a data breach rose for the third consecutive year. According to the Office For Civil Rights, healthcare organizations experienced a seven percent increase in the total number of entities impacted over the prior year. In total, 352 organizations and over 5 million individuals were impacted. Now, the question on many people’s mind is ‘How can we strengthen the security posture of our organizations while balancing all the other competing priorities?’
Again, my first recommendation is simple: Start. Specifically, organizations should focus on the fundamentals:
- Conduct a HIPAA Risk Analysis. Once completed, make sure you prioritize the findings of the assessment and make progress against your corrective action plan.
- Focus the appropriate resources on patching. This is one of the most important actions your organization can take to protect itself against known vulnerabilities. I am often amazed how many healthcare organizations focus on the next advanced threat protection technology, but haven’t patched in years. Organizations around the world found out the importance of patching in 2017 when the WannaCry attack impacted healthcare organizations around the world. Patching is simple in principle, but complex in practice. Don’t overlook the importance of vulnerability scanning and executing an effective patch management program.
- Educate Employees. Have a strategy for educating your employees on the dangers of poor cyber hygiene. My recommendation is end-user training coupled with simulated phishing. These programs are relatively inexpensive, but can have a major impact on your security posture.
Protecting your organization is a journey that requires constant attention and never stops. One place to start is our primer on 2017 trends and predictions for 2018 in our Horizon Report. Regardless of what your 2018 resolutions are, I hope you start and stick with it. Let 2018 be a year of progress.