“Every hospital C-Suite executive needs to support a good cybersecurity program, which includes training clinical staff on the basics,” said Mark Jarrett, Chairman of the Healthcare and Public Health Sector Coordinating Council (HSCC). Dr. Jarrett, who is also the former Chief Quality Officer and Deputy Chief Medical Officer for Northwell Health, added “I would advise every hospital system in the country to consider using ‘Cybersecurity for the Clinician’ in their learning management systems.”
“Cybersecurity for the Clinician” Video Training Series
Introduction
The “Cybersecurity for the Clinician” video training series totaling 47 minutes among eight videos explains in easy, non-technical language what clinicians and students in the medical profession need to understand about how cyber attacks can affect clinical operations and patient safety, and how to do your part to help keep healthcare data, systems and patients safe from cyber threats.
The series is good for one CME/CEU credit hour. Using these training videos also may satisfy documentation requirements of the CMS Emergency Preparedness Rule, the National Fire Protection Association and The Joint Commission for facility Hazard Vulnerability Analysis and Risk Analysis and Training.
About this Video Series on YouTube
View an introduction of this series, please see this video promotion: https://www.youtube.com/watch?
Video Series Available at:
https://healthsectorcouncil. org/cyberclinicianvideos/
“For smaller sized organizations it’s quite normal to believe you will not be targeted or the victim of any cyberattacks. After all, why would a cyber criminal care about your local business? The truth of the matter is most cyberattacks are “opportunistic”; this means the criminals cast a wide net when they are looking for victims. Think of sea faring fishermen. The methodologies they use involve scouring the seas, casting their nets, and pulling in the fish that are caught.
The 405(d) Aligning Health Care Industry Security Practices initiative, along with the Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP) publication for which these videos are related too, are in partnership with the Healthcare & Public Health Sector Coordinating Council (HSCC)
HSCC New Releases and Press
Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations
#1 – Introduction and Email Protection Systems
Most small practices leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:
1. E-mail system configuration: the components and capabilities that should be included within your e-mail system
2. Education: how to increase staff understanding and awareness of ways to protect your organization against e-mail–based cyberattacks such as phishing and ransomware
3. Phishing simulations: ways to provide staff with training on and awareness of phishing e-mails
#2 – Endpoint Protection Systems
A small organization’s endpoints must all be protected. But what are endpoints? And, what can a small healthcare organization do to protect their endpoints?
David Willis, MD and Kendra Siler, PhD with the Population Health Information Analysis and Sharing Organization at the Kennedy Space Center are here to discuss what you should be doing to reduce the chances of a cyber attack penetrating your endpoints.
#3 – Access Management
In this section, we will be discussing Cybersecurity Practice Area Number 3 – Access Management for small healthcare organizations.
This discussion will be organized into three sections:
1. What is access management?
2. Why is it important?
3. How can HICP or “hiccup” help improve access management for small healthcare organizations?
#4 – Data Protection and Loss Prevention
The National Institute of Standards and Technology, or NIST for short, defines a data breach as “an incident that involves sensitive, protected, or confidential information being copied, transmitted, viewed, stolen or used by an individual unauthorized to do so.”
Sensitive, protected, or confidential data includes Protected Health information (PHI), credit card numbers, customer and employee personal information, and your organization’s intellectual property and trade secrets.
#5 – Asset Management
What information technology, or IT devices, do you have in your organization? Do you know how many laptops? mobile devices? And network switches you have in all your locations? Which ones run Windows or Apple’s IOS or one of Android’s several operating systems? If it isn’t attached to a wall or a desk, who is responsible for each device?
#6 – Network Management
Networks provide the connectivity that allows workstations, medical devices, and other applications and infrastructure to communicate. Networks can take the form of wired or wireless connections. Regardless of the form, the same mechanism that fosters communication can be used to launch or propagate a cyber-attack.
Proper cybersecurity hygiene ensures that networks are secure and that all networked devices can access networks safely and securely. Even if network management is provided by a third-party vendor, organizations should understand key aspects of proper network management and ensure that they are included in contracts for these services.
#7 – Vulnerability Management
Vulnerability management is a continuous practice of identifying, classifying, prioritizing, remediating, and mitigating software vulnerabilities. Many information security compliance, audit and risk management frameworks require organizations to maintain a vulnerability management program.
#8 – Incident Response
Incident response is the ability to identify suspicious traffic or cyberattacks on your network, isolate it, and remediate it in order to prevent data breach, damage, or loss. Typically, incident response is referred to as the standard “blocking and tackling” of information security. Many types of security incidents occur on a regular basis across organizations of all sizes. In fact, most networks are under constant attack from outside entities.
#9 – Medical Device Security
Health care systems use many different devices as part of routine patient treatment. These range from imaging systems to devices that directly connect to the patient for diagnostic or therapeutic purposes. Such devices may have straightforward implementations, such as bedside monitors that monitor vital signs, or they may be more complicated, such as infusion pumps that deliver specialized therapies and require continual drug library updates. These complex and interconnected devices affect patient safety, well-being, and privacy, and they represent potential attack vectors in an organizations’ digital footprint. As such, these devices should include security controls in their design and configuration to support being deployed in a secure manner.
#10 – Cybersecurity Policies
Cyber Security Practice #10: Cybersecurity Policies includes best practices which are document specific to the implementation of cybersecurity policies and procedures in your healthcare organization.