We can’t comment on the PR issues that have caused Sony to become a target for hacktivists, but we can draw out some conclusions from Sony’s woes that apply to all industries, including healthcare. Here are the top 6 things you should learn from Sony’s story to prevent your organization from falling prey to hackers.
1. Take your risk analysis beyond conventional cybercrime
Cybercrime is any crime that involves a computer and network, but beyond that broad definition lurk a host of nasty variations of threats. Sony was the target of hacktivism, which, as you might rightly assume, is a hacking incident motivated by the activists ideals and carried out in an attempt to promote political goals. Yet while the motivation may not follow our stereotypical perception of criminal behavior in terms of illegal financial gain, the acts represent a serious and very real threat agent. Is your organization prepared for these types of threats?
2. Get leadership involved.
Information risk management is not just an IT issue. There is no better time than now to engage your C-Suite. Ask your leadership:
- Is our business (operations, practices, policies) likely to raise the ire of hacktivists?
- Have we had any negative publicity about our business?
- Have we been successfully sued for any patient related mishap that gained significant press exposure?
If the answers to these questions, or similar questions, is yes, then tell your C-Suite that you might have a larger target on your back than your competitor.
3. Take your risk treatment seriously!
If you have identified critical/high risks, evaluate treatment options and apply them as a priority. In particular, pay attention to unpatched systems, and intrusion detection systems. The Department of Health and Human Services (HHS), Office for Civil Rights (OCR), levied its first corrective action plan against a covered entity for failing to address ‘basic risks,’ including not updating their IT systems with the most-current patches and running out-of-date, unsupported software. OCR’s newest director, Jocelyn Samuels, is quoted in the above link stating – “Successful HIPAA compliance requires a common sense approach to assessing and addressing the risks to ePHI on a regular basis. This includes reviewing systems for unpatched vulnerabilities and unsupported software that can leave patient information susceptible to malware and other risks.”
4. Have a well-documented and thoroughly tested incident management process.
Be sure that your IT, HR, Legal, Regulatory Affairs and Communications team know their roles in the event of a breach or security incident. Practice makes perfect!
5. Train your staff. Yes, this means senior staff and your medical staff too!
Security awareness must be ongoing. There is no point in having solid policies and procedures unless your staff is well trained on them. A significant number of security breaches occur each year due to staff not following or complying with documented policies and procedures. This training doesn’t have to be boring! Keep your staff engaged by incorporating recent and interesting stories such as Sony’s to make training more accessible and easier to take in. Change “continuing” education to “continuous education” and view it as one of the most important risk management steps you can take.
6. Review your cyber-liability policy thoroughly!
If you were the subject of a data breach, does your current cyber-liability policy cover the necessary expenses? Times are changing; so should your insurance policy.
We can assist you!
So don’t know where to start? Below are some helpful, no-cost, resources from Clearwater Compliance:
- Jumpstart your efforts by attending a Clearwater Information Risk Management BootCamp™ .
- Sign up for one of our complimentary best practices webinars with industry experts
- Subscribe to our newsletter for a robust summary of the latest information risk management news.
Schedule a consultation
If you are concerned about your compliance or Information Risk Management program, contact one of our experts to discuss a custom solution to meet your organization’s needs. [/box]
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017