Top 5 Cybersecurity Tips for Healthcare Organizations

By Wojciech Bajda, Managing Director, Public Sector, MENAT, AWS

In an increasingly digital world, healthcare organisations are facing more sophisticated cybersecurity threats, and these institutions must rely on collecting and maintaining sensitive data to effectively carry out their core missions. Safeguarding this data must remain a top priority.

A recent study from Proofpoint, a cybersecurity and compliance company, and Ponemon Institute, a top IT security research organisation, found that 89% of healthcare organisations had experienced an average of 43 cyber-attacks in a 12 month period, representing almost one attack per week. The most common impact of these attacks were “delayed procedures and tests,” resulting in poor patient outcomes for 57% of the healthcare providers surveyed and increased complications from medical procedures for nearly half of respondents. With lives on the line, healthcare organisations need to have robust cybersecurity measures ingrained into their systems to help mitigate these threats.

Below are five top tips from AWS for healthcare organisations to follow in enhancing their day-to-day cybersecurity:

1. Create a documented security policy – To help ensure all employees are on the same page and have a clear reference point for any queries, the best starting point for healthcare organisations is to draw up a simple cybersecurity policy. This should clearly outline the expectations and duty of all employees to adhere to the collective standards required to enhance cybersecurity. The policy should be clearly communicated throughout an organisation and made easily accessible across internal systems. The policy should include the following four tips as actions for all employees.

• Require unique credentials for all login requirements – This is something we all take for granted in our personal lives but is imperative in keeping potential bad actors at bay, particularly when dealing with sensitive personal or medical data. Employees must be required to use unique credentials for all work-related login functions with set rules that help ensure that passwords are strong, both in length and complexity. This means bad actors cannot unlock multiple doors across an organisation through accessing one set of credentials.

• Tighten admin rights, permissions, and privileges – It is obviously important to have the necessary IT system rights in place for your employees to work effectively. Organisations must remember, however, that granting many rights or privileges to many employees increases cybersecurity risk. Best practice is to ensure that all employees only receive privileges that are necessary for their business role. To start, organisations should audit existing privileges, establish a system for documenting any new permissions and perform regular access reviews. Educational institutions can use cloud services such as IAM and Cognito to easily manage and monitor access rights. 

• Back up your systems on the cloud – Using a cloud backup is a crucial step towards making sure data across an organisation is secured, recoverable, and easily accessible should bad actors compromise locally-held information. Cloud backups provide greater resiliency, so that that data cannot be deleted easily by bad actors. AWS Backup provides cloud-native back up services for education organisations’ key data stores, such as buckets, volumes, databases, and file systems, across AWS services. A cloud backup is a necessity for all education organisations.

• Foster a blame-free culture – Underpinning all these recommendations is culture. An organisation’s cybersecurity culture must be driven by inclusion and safe space, avoiding any blame on the part of employees when things go wrong. Phish-testing and more traditional security training methods are increasingly outdated, ineffective, and potentially problematic for employee relations and morale. Organisations should concentrate on driving greater awareness and improving behavioural training to encourage positive changes among their employee base and to help enhance collective cybersecurity.

Strong cybersecurity is no longer a “nice to have” for healthcare organisations. Estimates from the World Economic Forum have indicated that hospitals produce nearly 50 petabytes of data per year. This is an incredibly large amount of information to protect from cyber-attacks. A recent report from the European Union Agency for Cybersecurity (ENISA) found that patient data, including electronic health records, were the most  vulnerable assets. Nearly half of all incidents aimed to steal or leak health organisations’ data.

Healthcare organizations can help mitigate many of these risks by following the five guiding principles above. Putting these into action, in combination with strong leadership buy-in for cybersecurity investment and a well-understood, widely adopted “security culture” among employees will help enhance organizations’ cybersecurity capabilities against future threats.  “If you really want to drive change, look to your leadership. Cybersecurity isn’t just about technology: it starts at the top,” says Orlando Scott-Cowley, public sector tech and business development manager at AWS. “Leadership must own and foster a culture which supports cybersecurity.”