Lee Barrett Outlines Best Practices for Healthcare Cybersecurity
Data breaches and cyberattacks can have costly and damaging consequences for healthcare organizations, but there are some steps that can be taken to mitigate the risk and impact of these incidents, explained Lee Barrett, executive director of the Electronic Healthcare Network Accreditation Commission.
Transcript (slightly modified) What are some best practices that healthcare organizations and practices should implement to protect themselves?
For one, make sure that they’ve got the appropriate people in place as far as the privacy and security individuals. Two, what they need to do is to ensure they’ve got the rigor in their organizations to be putting together a very comprehensive risk management and what I would call preparedness plan in the event of a breach, an incident, cyberattack, or ransomware attack.
Third, what they have to do is at least an annual risk assessment, if not ongoing, to be able to go through, ensure that any risks, any vulnerabilities, and as they’re continuing to expand services, that those services are properly evaluated as far as any risks or gaps there and threats.
The other aspect that they need to take on is training: make sure that the staff, all the vendors that they’re working with, have appropriate training and have appropriate controls in place on how they’re going to work with them.
Lastly, I would tell you that the other thing that we tell organizations to do as far as third-party entities is to go through some type of, either mandate contractually or some other way, some third-party review, certification, or accreditation of those entities, again as part of their risk management strategy to reduce the amount of risk that an organization may have that one of their partners may in fact have a breach on their behalf.
Because, at the end of the day, if that entity has a breach, an incident, or an attack, it reflects on that organization and the cost to that organization, that ACO, is going to be extremely high. It’s going to hit them in relation to not only cost from a revenue perspective, but credibility. So, the answer is that organizations need to take it very seriously and put together that risk mitigation, the preparedness plan, and put together some of the best practices that I’ve talked about.