Last week, I tuned in to the "Security advice for healthcare organizations' front lines & back offices" webinar hosted by Becker's Hospital Review. The webinar featured industry experts from Imprivata, including Jesse Myers (VP IT and Security), Al Colon (Director of Information Security), and Troy Kuehl (VP of Engineering). The speakers covered topics such as securing and controlling access to PHI (protected health information), maintaining cloud security, and general best practices for front-line and back-office healthcare organizations.
Being new-ish to the cybersecurity scene, I want to learn as much as possible on both a personal and professional level. Plus, with cyberattacks hitting the most critical industries on what seems to be a daily occurrence now, it's essential to know what companies are doing to protect all of our data, including yours and mine.
Pre-COVID, I was in a much different role than I am now. I was fortunate enough to evolve my position to take on market research and marketing responsibilities, which I have really grown a strong liking for. But to succeed in any role, you have to educate yourself, learn from others, and ask a ton of questions. When so many of us are having to pick up new duties or find a new position, it's important to show gratitude to organizations like Becker’s Hospital Review and Imprivata for taking the time and effort to share their knowledge.
So what did I learn? Some things I (kind of) knew, but it was explained so clearly. Such as:
Security is mission-critical and is everyone's responsibility.
It's true, security should be top of mind for everyone in an organization, regardless of your title. Without good security hygiene, a company's most important assets, including customer data, intellectual properties, and employee data, could be at risk. I learned during this webinar that healthcare data is being targeted because it can be used as blackmail and as a way to get fraudulent drugs and prescriptions.
Securing and controlling access is hard.
Pre-COVID, securing and controlling access was difficult. Throw in remote work, changing roles and responsibilities, and a lack of process to keep track of who has new access, and you have a recipe for disaster. During this webinar, one of the speakers shared that his wife is a nurse, and during COVID-19, her role drastically changed. She actually was moved to an entire new floor of the hospital to focus solely on COVID patients. Hospitals and healthcare companies are a prime target for cyberattacks, not only because of the sensitive data they hold but because a single patient data record can go for thousands of dollars on the dark web. It's imperative to keep track of who has access to what data, and if duties change, access should be adjusted accordingly.
Identity is the new control plane.
Knowing who is accessing a system and how they are accessing it is the new control plane, also known as digital identity. Security teams must have a zero-trust standard for controlling access, doing so in a way that doesn't damper productivity. Still, it must be effective so bad guys, and cyber attackers cannot access your systems.
If you want to secure something, you need to know where it is.
As COVID kicked off, I learned a new term called "tribal knowledge," described as "unwritten information that is not commonly known by others within a company." Why is this relevant? Because many organizations did not have tribal knowledge documented, including processes and security standards as the world went remote and increased collaboration was necessary. I firmly believe that remote work forced me to become more organized and purposeful. Still, many teams may have recklessly accessed or shared information (passwords, sensitive documents, accessing company data from their cell phone, etc.) in harmful ways. Security teams need to have a pulse on where this sensitive information lives to protect it and ensure it's accessed healthily.
A few extra takeaways:
- Teams that rolled out new tools during COVID, especially collaboration tools, shouldn't rely solely on the built-in security standards. They need to align with your organization's processes. Be prepared for your next pentest that there may be many more flagged items since new tools may not be up to par.
- Did you know that October is Cybersecurity Awareness Month? Regardless, we should treat every day like cybersecurity is a top priority.
- The most popular times for phishing scams are around tax season and Christmas, when many of us are getting emails we have to check, so be on the lookout during these times.
To recap, next time you see an intriguing webinar come into your inbox, why not give it a listen? You may learn much more than you anticipated. And if you did learn something, share that knowledge with others. We're in funky times, and we are in for an uphill battle with cyberattacks. Once we return to the office, we can't let our guard down. We have to keep security top of mind, document tribal knowledge, educate ourselves, and innovate to hopefully get ahead of the bad guys.
