nicate to your team that passwords must be complex, and when they are changed, they should be com- pletely different from their prede- cessors. Force this as a best prac- tice through group policy. A group policy provides the centralized management and configuration of operating systems, applications and users’ settings in an active di- rectory environment. To avoid end user push back, consider providing enhanced authentication tools to make the end user experience bet- ter and more effective and to get better compliance. It is a relatively small investment with a big payoff.
7. Adopt two-factor authentication. In some cases, one password is not good enough. For increased IT se- curity, many organizations imple- ment two-factor authentication programs. Even if your passwords were easily hacked, the hacker would not have access to your sec- ond form of identification, like a biometrics scan, badge or keycard. You would still be protected. If you do this right, your end users should see this as you looking out for their best interest and providing tools to improve their productivity. Some states already require two-
factor authentication for things like narcotic dosing, and it might not be long before it is a requirement in any clinical setting, so why not prepare now? The enhanced authentication tools referenced in point 4 are a way to ensure end user compliance.
8. Monitor the cloud. When used and monitored correctly, the cloud has the potential to increase your ASC’s security. It also could in- crease your vulnerability, how- ever, as it adds more layers of IT systems that need protection. One key to cloud protection is choos- ing a secure, private cloud partner.
9. Protect mobile devices because they are in hands at all times and are a critical security concern. What
people can and cannot put on their phones should be restricted, and se- curity measures should be in place to keep mobile devices from becom- ing breaches. Your organization must have the ability to shut down a mo- bile device if a breach is detected.
10. Create a security budget. Health care has spent an average of 3 percent of its IT budget on cy- bersecurity, according to Modern Healthcare’s 26th annual survey of executive opinions on key informa- tion technology issues. Compare that to the banking industry, which has long spent 7–9 percent of its IT budget on cyber security. More of your IT budget needs to be allo- cated for cyber security purposes. You simply cannot cut corners and effectively protect yourself.
11. Create a crisis communication plan. If, and likely when, you face a secu- rity breach in your ASC, you must also have a strong communication plan in place to address it. Develop an understandable, repeatable plan that your entire staff can follow. You should have a chain of breach notifi- cation, reaching from your ASC’s IT team to your leadership team to your legal team and all the way up to your governing body. Most organizations today invest in IT cybersecurity in- surance. Those insurers can be a great asset for plan development at no extra cost by providing guide- lines, templates and tools.
12. Have a backup/archive plan in place to ensure that your data can be suc- cessfully and reliably restored. Re-
20 ASC FOCUS NOVEMBER/DECEMBER 2016
covery from backup is still the safest and most reliable resolution path for a ransomware attack. After the ran- somware event happens is not the time to validate the quality of your backups. So audit your backup and recovery solutions now against best practices and then develop a disci- pline and proactive test recovery process. It is not enough to just back up and replicate data. You must con- sider archiving as part of your total strategy. Here is a glimpse into our archive/retention policy: a) Daily removable media kept off- site utilizing a two-week rotation.
b) Weekly removable media kept off- site utilizing a four-week rotation.
c) Monthly removable media kept off-site utilizing a 12-month rotation.
d) Yearly removable media kept off-site for multiple years.
e) Removable media is in a secure off-site location, at a distance that mitigates impact from a single event. Be sure the off-site location allows emergency, off- hours access that meets recov- ery time objectives.
f) Simple file recovery tests are performed monthly,
izing recovery test files to val- idate different segments of the backup each month.
Securing your health care orga-
nization’s IT systems does not begin and end with your IT team. This is a threat that affects every user at every endpoint, and your entire organization needs to be on board, working to keep your systems secure.
A culture of security awareness should be created through education, planning, monitoring and communica- tion. It is always better to be safe than sorry when it comes to IT security.
Jim Tufts is the leader of the Leadership Solutions Team at ICE Technologies Inc. in Pella, Iowa. Write him at Jtufts@ice technologies.com
| Page 2
| Page 3
| Page 4
| Page 5
| Page 6
| Page 7
| Page 8
| Page 9
| Page 10
| Page 11
| Page 12
| Page 13
| Page 14
| Page 15
| Page 16
| Page 17
| Page 18
| Page 19
| Page 20
| Page 21
| Page 22
| Page 23
| Page 24
| Page 25
| Page 26
| Page 27
| Page 28
| Page 29
| Page 30
| Page 31
| Page 32
| Page 33
| Page 34