Healthcare requires an all-hands approach to cybersecurity, including the establishment of a data safety culture that permeates an entire organization and its operations. Instituting a cybersecurity program can be challenging as the digital transition in healthcare means more information from across an organization is stored online.
The operational needs of a facility, as well as interoperability regulations, often prioritize speed and accessibility of information over information security. Additionally, many facilities use a common network that integrates multiple aspects of clinical systems, medical systems, business systems, physical security, and building management.
A new Quick Safety advisory from The Joint Commission, “Organization-wide cybersecurity: Creating a culture of defense,” provides safety actions and resources to help healthcare organizations prepare for and repel a cybersecurity event. Building a culture of cybersecurity, or a human firewall, requires shared awareness of cybersecurity threats, including evaluation of the types of threats that exist, and incorporation of preventive strategies at all levels of a healthcare organization. Recommended safety actions in the advisory include:
Leadership’s role in a culture of cybersecurity:
- Create a culture of cybersecurity that is top down.
- Make sensitivity to cybersecurity threats and organizational preparedness part of the way the organization performs its work.
- Build a human firewall by requiring staff awareness of cybersecurity vulnerabilities at all levels of an organization.
Staff education and training:
- Establish training programs for all staff and not just for clinicians. Include frequent refresher courses.
- Periodically evaluate staff to ascertain whether they appropriately respond to “test” cyber challenges.
- Train staff to anticipate non-conventional intrusions.
Emergency management:
- Adopt the preparedness perspective of “when” not “if” a cybersecurity incident will occur.
- Incorporate responses to cybersecurity attacks into an organization’s emergency preparedness plan.
- Communicate necessary reporting and disclosure for any data breach.
IT security team resources:
- Utilize available free resources from reputable sources.
- Invest in security tools and resources when needed.
Several resources from government security agencies and other organizations are included in the advisory—providing an initial checklist to measure cybersecurity preparedness within health care organizations.
The full Quick Safety advisory is available on The Joint Commission website. It may be reproduced if credited to The Joint Commission.