It can be argued the Health Insurance Business is the mostimportant business you deal with in your life because they have everything andknow everything about you, they have your financial information and your healthinformation and when examined really are not that secure. For example yourhealth insurance card does not have your photo on it and the information askedby the doctors’ office or hospital when you use your card is basic and easilyobtainable.As for within hospitals, they are very information intensivebusinesses and that information has to be digitized to be useful and effectiveand by the nature of a hospital, they are pretty much public places so myrecommendation would be to:1.
Determine all different types of information thehospital has.2. Categorize the importance and sensitivity of thedifferent types of information3. Create different networks base on thesensitivity of the data, the most secure data would be on its own network andwould be air gapped. 4. Encrypt the data5. Limit access to the information and network toonly the absolutely necessary people and use two factor authentication.6.
Install Cyber Security tools that allow me tomonitor, detect and respond quickly, the goal is for the tool to be able tomonitor activity, if it sees something unusual it sets off an alert and takesaction. Ideally this would be all automated, the more human hands are involvedthe weaker you are because attacks are too many and too sophisticated to dealwith by humans. Networks are too large and companies’ employee too many peopleand there are too many false positives that take time away for people.
7. I like white listing applications, however theyare time consuming to implement and maintain in addition to costly.8. Not too product pitch, I like Fidelis Cybersecuritys’Elevate platform, however there is a large learning curve to it and like mostcyber security tools there is multiple sensors/agents you have to install andmanage.9. I would create a rule/corporate policy that allupdates and patches need to be made within a certain period of time after patchrelease, like 48-72 hours and if not met that is a job performance strikeagainst the IT/Security department/ Organization.
10. I would create classes for employees to takemandatorily that would educate them on cyber security, different types ofattacks, best practices, what to look out for, new types of attacks to look outfor. They can be as simple as videos that people watch in moments of free timeor lunch.11.
Last but not least, I would stress that noteverything has to be over the internet or in the cloud.