Too many small hospitals and small or mid-sized physician practices believe defending against cyber attacks is pointless and they’re just hoping to be saved by being obscure.

That’s a risky approach, because hackers are not just looking for big targets; rather, they’re setting their sights on easy targets.

Banking on obscurity “is something that’s not going to happen,” says Chase Cunningham, director of cyber threat research and innovation at Armor Defense, which sells a healthcare secure cloud platform.

 

Chase Cunningham Small physician practices are at risk for other reasons, Cunningham says. Physicians have other things to worry about, particularly treating patients, and while they likely are aware of HIPAA, many aren’t aware of the severity of current cyber threats.

For smaller healthcare organization that fear a cyber attack but can’t afford to defend against it, there are free open source tools, such as Alien Vault, which monitors networks, as well as basic encryption tools that don’t take a lot of time and expertise to implement.

Having a guest wireless network that is separate from the corporate network, and using two-factor authentication to access information systems, also offers additional protection, Cunningham advises. Two cyber security guides from the National Institute of Standards and Technology—800-53 and 800-71—also can help an organization make improvements in security practices, and they’re aimed at smaller organizations.

Those organizations that are using open source security tools and complying with NIST guidelines to the best of their ability will be “light-years ahead” in being better protected, according to Cunningham.

Also See: Are we winning the cyber war?

Outsourcing the hosting of information systems to a cloud vendor or contracting with a local security firm may be a cost-effective alternative, but there are some core questions to ask, particularly the type of talent on staff, Cunningham says.

Companies employing staff with military intelligence experience is optimal. Ask if the company offers a suite of services or only certain parts, such as security threat management, vulnerability testing, encryption, asset identification and migration practices.

IT executives should do some research on the Internet to learn about best-of-breed technologies and assess if the company has a best-of-breed suite or a product cobbled together with inferior tools. A small organization also should ask about the frequency of employee training, which should be almost constant, and what the turnover rate is.

If employees believe the company is making a difference, they will stay; otherwise, they are out the door in 90 days, Cunningham notes. Searches on LinkedIn can help you find out how long employees have been at the company, or if they have left, how long they were there.

Above all, small organizations should watch out for companies without a lot of human talent and bombastic claims, Cunningham warns. “If they tell you they can do everything with technology, they’re lying.”

(This article appears courtesy of our sister publication, Health Data Management)

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access