Managing Cybersecurity In An Organization

Managing cybersecurity in today’s environment requires companies to break it down into step by step processes. First, companies commonly select a cybersecurity framework. This is a template constructed by industry consultants as to how companies and institutions should secure and monitor their vulnerabilities. The most common cybersecurity framework is the National Institute of Standards and Technology. It outlines cybersecurity integration as well as activities the companies should partake in to monitor their systems. David Ting, CTO of Imprivata, suggestions for laying a foundation for effective cybersecurity are “One, identify all those assets that are vulnerable. Two, create a strategy for how you would protect it. Three, deduction, which is to understand when your system is operating normally and understand when things aren’t normal. Four, the ability to respond and contain an attack”.

Next, the company must secure all devices within their network that are used to store, transfer or access any privileged information. For a benefits broker or carrier, these devices could be computers, phones and tablets used by employers. For a healthcare provider, these devices could be medical equipment as well as computers and smart devices. Any device that connects to the network, in which information resides, is susceptible to an attack. In regards to medical equipment used by providers, security features are generally created by the manufacturer due to federal regulations. Known as quality system regulations, they require manufacturers to identify risks and threats associated with their medical device product. Cybersecurity on medical devices used by providers and facilities is not an optional decision. Attacks on these devices can result in life or death outcomes for patients. MRI machines, pacemakers, IV pumps and others are examples of computerized medical devices. Hackers could manipulate the pace at which a patient’s pacemaker is set, they could request the IV pump to deliver a fatal dose of medicine, or simply change the results of an MRI test. In 2007, doctors ordered a manufacturer to disable a wireless feature on Vice President Cheney's defibrillator because they feared a terrorist could hack the device and kill the Vice President.

When assessing the process of securing steps, it is common to follow a few methods. First, figure out how the device connects to the network. Second, put in some basic controls. This means to make sure you have unique passwords and basic security across the board. Lastly, lock it away. When the device isn’t being utilized, do not leave it somewhere for everyone to access. Lastly, it is crucial to properly train employees and make sure they are aware of what an attack could look like. With social engineering as a major form of hacking, it is important to properly train employees to always be on the lookout for emails, phone calls and message that might be make an unusual request. Companies cannot rely on security measures to catch every attack. Also, training for proper data handling is required under HIPAA. Untrained employees create a massive set back in a company’s cybersecurity efforts. It is crucial that a company’s cybersecurity team educate all employees on examples of day to day cyberattacks.

Employees should be educated on what information hackers are after. This will create internal red flags for employees to notice when receiving a phishing email. It is also important for companies to set up channels for when a scam email comes into the company. The handling and assessment of a known attack can help prevent future attacks. The better educated your employees are on the threats of cyber attacks then the more secure your information will be against some of the most common but impactful attacks. In May 2016, employees at the Department of Health Services in Los Angeles received several phishing emails. The employees were trained to detect phishing emails and how to handle them if found. However, even with the training, 108 of them fell victim to the attack. A breach of more than 750, 000 records occurred.

Encryption

There are several other specialized techniques that cybersecurity professionals can use to help manage their risk. One of those techniques is encryption. Encryption is the conversion of data into a secure form. Only privileged personnel will be able to access the encrypted data. Unencrypted networks lack security and allows users on that network easy access to all saved data. Luckily, third party networking services such as amazon web services provide you the ability to encrypt your network without needing the expertise required to do it yourself. Encryption can be referred to in terms like 128-bit or 256-bit. A 128-bit encryption means that there are 2, 128 possible keys to decrypt and a 256-bit encryption means that there are 2, 256 keys to decrypt. The most common encryption method is Advanced Encryption Standard. AES, although many have tried, has never been hacked.

One of the most popular forms of data encryption in the healthcare industry is an Electronic Data Interchange (EDI). An EDI is a form of data transfer along the healthcare supply chain. A data file is rewritten to follow a unique code set between the two transferring parties and is then encrypted and transferred from one party to the other using a secure file transfer protocol. EDIs are most commonly used on the employee benefits side of healthcare. They are used to transcribe plan changes, terminations, new hires and other related updates from clients to brokers to carriers. If hacked, the data file is illegible to anyone who does have the supporting companion guide. This illegibility makes it an attractive option for many companies in the healthcare industry.