October is National Cybersecurity Awareness Month (NCSAM), when government and the private sector work together to develop ways that businesses can help their workers and customers keep their digital data safe. It’s an excellent time for healthcare stakeholders to look at the privacy and security best practices they should employ.

Helping our clients build a robust cybersecurity program to meet threats head-on is paramount to our mission of protecting patient data and reducing risk throughout the Fortified healthcare ecosystem. This includes ensuring the people within those organizations are armed with vital information and resources needed to stay safe online.

To help, let’s look at four easy ways you and those within your organizations can protect yourself online.

Four Ways to Protect Yourself Online

1.) Set up multi-factor authentication (MFA)

Multi-factor authentication ensures that only authorized users can access company assets across the network, whether in office or working remotely. If MFA is unavailable, your employees can safely share and access data through a secure virtual private network (VPN). Moreover, MFA makes it tough for bad actors to hack sensitive data by requiring workers to use two or more unique identification factors to sign in.

There typically are three types of MFA credentials:

  • Private login credentials, such as passwords, security questions, and personal identification numbers (PIN) that only the user knows and are hard to guess
  • Devices such as a smartphone, where a user might be verified by entering a code after getting it as a text message following their password, or objects such as verification apps, or security badges, or tokens
  • Biometrics-based identifiers, such as fingerprints, retina scans, or facial or voice recognition.

As a best practice, organizations should choose at least two factors from the above categories — a password and a text (SMS), for instance — where MFA might be required with each login, one every few days on a trusted device, or logins on new devices.

While the most common authentication factors are texts, security codes, and PINs, users requiring more stringent security clearance for more sensitive data (e.g. information that’s restricted to upper management) might resort to more advanced login credentials, such as security tokens or voice recognition. Biometric credentialing is the highest restriction since it creates exclusive access.

2.) Don’t reuse passwords

Because so many devices are connected, criminals who correctly guess one device’s password could breach several devices. Hence, change your password often, but when you do, make sure the new one is almost impossible to guess.

How? By making it long and complex, or using passphrases, which surpass even the toughest password length and complexity rules.

A passphrase like “My first car was a 1977 Chevy Camaro,” is a great example, since it includes upper and lowercase letters, numbers, and spaces to make it a daunting challenge for any hacker.

What you don’t want is employees using the same password on everything; two-thirds of all people do this on multiple accounts. Ensure your employees use different passwords for every resource or application — or consider assigning passwords for each account — and implement strict password guidelines, which can strengthen account security across the board.

3.) Identify and report phishing

Phishing emails are among the worst cybersecurity threats, partly because they might resemble legitimate e-mails, such as government memos or company announcements, and partly because workers are getting more emails than ever before. And the menace is growing: the number of phishing emails tripled in number during the pandemic. 

Phishing is one of the main ways that cybercriminals break into networks and steal sensitive data, usually by passing off a fake email as real and then capturing usernames, passwords, and other account and/or financial information.

So, what can you do to thwart phishing attempts? Leverage software solutions such as email encryption, link protection, attachment sandboxing, and consistent security awareness, training, and monitoring.

4.) Update software regularly

If your employees are responsible for updating the antivirus and anti-malware programs on their devices, provide them with guidelines on how to implement software updates and patches. Also, tell them who they should contact if they suspect their computer has been compromised. Remote workers also should know about this type of asset management.

Third-party software — in forms such as telemedicine, file transfer platforms, and remote communication software — became essential to deliver patient care and support employee communications and productivity during the pandemic.

Today, most healthcare companies use software from several third-party vendors on a daily basis. Consequently, IT staff at healthcare organizations must have a granular understanding of their software’s protocol configurations and content, installing, when necessary, the updates that third-party vendors provide.

Conversations with your solutions vendors about any security concerns can help healthcare businesses understand the back end of the software. They also should check out any software they installed during the pandemic that might have eluded their normal third-party governance program.

It’s also vital to manage risk with third-party vendors, and that risk can be considerable. You may find it helpful to implement a third-party risk management program with your cybersecurity partner as well, since this may be more efficient than managing the task in-house.

Breach Consequences Can Be Severe

Bad actors only have to be right once to compromise IT infrastructure and wreak havoc in your organization. In 2021, more than 700 healthcare organizations experienced a breach of more than 500 records that exposed data on over 45 million people. And of the 58 lawsuits filed in the U.S. last year over data breaches, 43 lawsuits were filed against healthcare organizations.

For more insights on how to address risks stemming from third-party vendors and how to strengthen your cybersecurity posture overall, check out part 3 of our Defense-in-Depth webinar series