Article 3 in our series on CARF accreditation
Cybersecurity insights for CARF-accredited healthcare practice leaders
Cybersecurity threats are escalating in healthcare, and the challenge faced by CARF-accredited healthcare organizations cannot be overstated. Organizations must be prepared to defend against a wide spectrum of threats – from opportunistic, low-sophistication attacks to highly coordinated, persistent campaigns by skilled adversaries with nearly unlimited time and money. Moreover, the defenders must maintain robust security at all times, whereas attackers need only succeed once to potentially cause significant damage.
Gone are the days where security is the exclusive domain of the IT team. Although healthcare organization management need not and should not configure firewalls or patch servers, they must at least be familiar with some of the key security concepts that, when applied, can help prevent cyber-attacks.
Cybersecurity is a vast and intricate domain, often seeming overwhelming in its complexity and ever-evolving nature. However, grasping these key principles can empower healthcare leaders to make significant and informed contributions to their organizations’ cyber defenses making better strategic decisions, effectively allocating resources, and fostering a culture of security awareness throughout their institutions.
Key cybersecurity principles
Universal Vulnerability: No organization, regardless of size or industry, is immune to cyber threats. Even small entities can be targeted for their data, their resources, or their access to larger networks.
Anomaly Detection: Implement mechanisms to identify and alert on unexpected behaviors or conditions within the system, enabling rapid response to potential security threats or system malfunctions.
Reduce Complexity: Every technology contains a degree of uncontrollable, unmeasurable, and unpredictable cyber risk. Consider the impact to your accumulated risk for each new technology acquisition.
Continuous Improvement: Threat actors only improve. Regularly assess, update, and enhance security measures to address evolving threats, technological advancements, and changes in infrastructure.
Defense in Depth: Implement multiple, diverse, and redundant security controls at different layers of the system architecture to create a comprehensive and resilient defense strategy.
Domain Separation: Establish clear boundaries between different security domains, either logically or physically, to contain potential security breaches and limit their impact on the overall system.
Security-Usability Balance: Recognize that necessary security measures may impact user convenience. Strive to implement robust security while minimizing disruption to user experience.
Commensurate Protection: The strength and type of protection provided to a system is based on the likelihood and impact of a cyber attack or other technology interruption or loss.
Redundancy: Incorporate backup components, systems, or processes to ensure continued operation and data integrity in the event of failures or attacks on primary systems.
“Least” Principles: Apply principles of least privilege, functionality, sharing, and persistence to minimize attack surfaces and reduce potential vulnerabilities in the system.
Mediated Access: Control and monitor all access to system resources and functions through well-defined interfaces, ensuring proper authorization and preventing unauthorized use.
Selecting the right cybersecurity vendor for your healthcare organization is a critical decision. By focusing on healthcare experience, comprehensive security solutions, staff training, and reputation, you can ensure your data and systems are well-protected from cyber threats.
Questions? Keiter’s Cybersecurity team can provide value added insights for your CARF-accredited healthcare practice. Contact us. Email or Call: 804.747.0000
About the Authors
Zac serves clients in the healthcare industry and is a leader in Keiter’s Healthcare and Medical Services Practice. He assists his clients with financial reporting in conformity with generally accepted accounting principles, consulting on strategic business initiatives, as well as helping them understand the accounting and financial reporting implications of complex equity transactions and implementation of new accounting standards. Read more of Zac’s accounting insights on our blog.
Jim works predominately with clients in the medical and dental industry where he provides tax planning and compliance services related to practice acquisitions and transitions. Jim strives to add value to his client relationships by being a trusted advisor. He is a leader in Keiter’s Healthcare and Medical Practices team. Read more of Jim’s accounting insights on our blog.
Rachel brings a passion for providing superior value to her assurance and audit clients through the highest form of quality service. Understanding her clients’ organizational missions and providing tailored engagement services is paramount to her approach. Her clients include healthcare companies, and she is a member of the Healthcare and Medical Practices team. Read more of Rachel’s accounting insights on our blog.
Chris is a Senior Manager in Keiter’s Risk Advisory Services. Chris has a strong combination of IT skills, which range from IT audit and internal control assessments, including general computer controls and application controls, to full stack web development. Most recently, Chris developed a Cybersecurity web application that assesses an organization’s resistance to social engineering attacks. Chris shares his cybersecurity insights on our blog.
The information contained within this article is provided for informational purposes only and is current as of the date published. Online readers are advised not to act upon this information without seeking the service of a professional accountant, as this article is not a substitute for obtaining accounting, tax, or financial advice from a professional accountant.
