It can be argued the Health Insurance Business is the most
important business you deal with in your life because they have everything and
know everything about you, they have your financial information and your health
information and when examined really are not that secure. For example your
health insurance card does not have your photo on it and the information asked
by the doctors’ office or hospital when you use your card is basic and easily
As for within hospitals, they are very information intensive
businesses and that information has to be digitized to be useful and effective
and by the nature of a hospital, they are pretty much public places so my
recommendation would be to:
Determine all different types of information the
Categorize the importance and sensitivity of the
different types of information
Create different networks base on the
sensitivity of the data, the most secure data would be on its own network and
would be air gapped.
Encrypt the data
Limit access to the information and network to
only the absolutely necessary people and use two factor authentication.
Install Cyber Security tools that allow me to
monitor, detect and respond quickly, the goal is for the tool to be able to
monitor activity, if it sees something unusual it sets off an alert and takes
action. Ideally this would be all automated, the more human hands are involved
the weaker you are because attacks are too many and too sophisticated to deal
with by humans. Networks are too large and companies’ employee too many people
and there are too many false positives that take time away for people.
I like white listing applications, however they
are time consuming to implement and maintain in addition to costly.
Not too product pitch, I like Fidelis Cybersecuritys’
Elevate platform, however there is a large learning curve to it and like most
cyber security tools there is multiple sensors/agents you have to install and
I would create a rule/corporate policy that all
updates and patches need to be made within a certain period of time after patch
release, like 48-72 hours and if not met that is a job performance strike
against the IT/Security department/ Organization.
I would create classes for employees to take
mandatorily that would educate them on cyber security, different types of
attacks, best practices, what to look out for, new types of attacks to look out
for. They can be as simple as videos that people watch in moments of free time
Last but not least, I would stress that not
everything has to be over the internet or in the cloud.