Cybersecurity: Do These Ten Things to Keep Your Networks Secure from Hackers

The ten good practices for making the health sector more resilient to cyberattacks.

1.       Involve the IT department in procurement

It sounds simple, but involving the IT department in procurement from the very start ensures that cybersecurity is considered on every step of the technology procurement journey, as recommendations, can be made as to how new technology fits in with the existing network and what additional security measures might be needed.

2.       Implement a vulnerability identification and management process

It's an imperfect world and there are products out there which contain vulnerabilities, known or as of yet undiscovered. Having a strategy in place to manage vulnerabilities throughout the entire lifecycle of a device can help the security team keep control of potential security worries.

3.       Develop a policy for hardware and software updates

Security researchers often uncover new vulnerabilities in devices and operating systems. However, medical networks have historically been poor at ensuring patches are applied – and this was one of the reasons WannaCry ransomware impacted the NHS so badly. The paper recommends IT departments determine the most suitable timing to apply the patches in every segment of the network, as well as determine workarounds for machines that can't be patched, such as cybersecurity threat intelligence.

4.       Enhance security controls for wireless communication

Access to hospital networks should be limited with tight controls, meaning that the number of devices connected should be monitored and known, so as to identify any unexpected or unwanted devices attempting to gain access. The paper recommends that non-authorised personnel shouldn't have access to the Wi-Fi and that network passwords should be strong.

5.       Establish testing policies

Hospitals acquiring new computing products should establish a minimum set of security tests to be performed on new devices added to the networks – including penetration testing once it's added to the network, to take into account how hackers could attempt to abuse it.

6.       Establish business continuity plans

Business continuity plans should be established whenever the failure of a system may disrupt the hospital's core services – which in this instance is patient care – and the role of the supplier in such cases must be well-defined.

7.       Take into account interoperability issues

The ability of machines to transfer information and data is key to hospitals being able to operate properly – but this could be compromised in the event of a cyberattack or downtime. The hospital should have backup plans should this operation be compromised.

8.       Enable testing of all components

Systems should be regularly tested to ensure they're offering good security, combining ease of use while also being secure – for example, the IT department should ensure that users haven't changed complex passwords to more simple ones. All of this should be examined during testing.

9.       Allow auditing and logging

Keeping logs about testing and activity on the network ensures that, in the event of a compromise, it's easier to trace what happened and how attackers got access to the system, as well as evaluating what information has been compromised. "Keeping the logs secure is one of the most important tasks of security," says the paper.

10.   Encrypt sensitive personal data at rest and in transit

To ensure compliance with with the General Data Protection Regulation, and to ensure the safety of both patients and staff, sensitive information should be encrypted, so that if outsiders do get access to the systems, it's likely to be useless to them.