Healthcare is one of the most targeted areas for attackers in recent years. Many hospitals and clinics have received attacks that could have been prevented with the necessary resources and knowledge. Currently, many medical centers have been assessed along with their staff, and the knowledge related to securing digitally stored information and protecting the technology assets they use is significantly low, which opens a big question over the work being done to prepare these facilities for any cyber-attacks that may suddenly occur.
Cybersecurity training for healthcare stakeholders is not just a suggestion, it is something completely necessary and should be considered as a warning and a call for preparedness. All hospitals and the members of their respective departments should be involved in such training, especially for the type of information they handle about their patients. Adding the presence of electronic devices and equipment with limited access to functions to equipment such as air conditioners, pulse monitoring equipment, smart elevators, EKG, Ventilators…. This type of equipment must be properly monitored to protect them from any malfunction that could jeopardize the health and physical well-being of anyone inside the place.
Some points to consider when training healthcare staff in cybersecurity are the following:
- Knowing the most common threats and attacks in the Healthcare area: To better understand what kinds of cyber-attacks that can take place in a Medical Center, it is necessary to be aware of the position and importance of the work they perform and how this can be exploited by attackers, so creating awareness of what types of situations and tools can be used with bad intentions to gain access or provoke a cybersecurity incident is imperative.
- Learn about basic security controls: Once aware of current threats and attack scenarios, it is crucial to show the best techniques and practices to be able to prevent these situations in the future, and thus reduce errors caused by lack of awareness and knowledge in the world of cybersecurity. Basic information such as password protection or not leaving personal equipment within reach of others without access protection, to the selection of personnel responsible for the maintenance of medical equipment and the use of programs for the protection of digital devices.
- Creation of a C-Suite: Currently most companies and large organizations require the existence of a Chief Information Security Officer (CISO) to evaluate the existing cybersecurity program. The same has been applied in several healthcare organizations, preparing a hierarchy composed of members with the necessary knowledge to be able to make the right decisions regarding the digital environment in the organization.
With these points taken as a basis, it can be extended to other aspects that can be considered for the protection of assets in healthcare and the care of staff, patients, and all registered device information, allowing it to evolve to obtain a secure development environment and with a properly prepared staff.