10 Steps to Prepare for & Mitigate Cyber Attacks in Healthcare Industries

November 29, 2016 | Views: 5387

Begin Learning Cyber Security for FREE Now!

FREE REGISTRATIONAlready a Member Login Here

Hi Everyone,

I created an infographic for mitigating cyber attacks in the healthcare industry, but I realized that it might be easier if I also included a text version that is easy to copy/paste text from. So here it is.


Recent cyber attacks targeted healthcare organizations should not be ignored because as cyber security is important for banking industry or governmental institutions..it should be so in other industries like Healthcare…we’ll discuss ten simple guidelines through which you can mitigate and protect healthcare business.

1- Management support

Getting Management support and convincing them about the necessity of allocating the required resources to establish an information security program.This is the most important step because it involves Management of the organizations into capitalizing and bankrolling with the required budget and resources in order for the security team to be able to execute the program.

2- Asset Identification

Every resource that handles or stores information is considered as an asset. Examples of assets are computers,servers, medical devices including portable ones and every unit that has financial value.This step includes the Identification and classification of Data..Many schemes are under choice with regards to classifications of information like the military scheme.

3-Enforce Security policies

This includes the principle of least privilege, the need-to-know basis,separation of duties,due care and due diligence.Security policies must be followed by procedures that explain them clearly.

4-Encrypt and Backup PHI

Implement Disk Encryption to every computer that stores or transmits PHI whether the computer is connected to Medical device or process PHI in other medical units. Backup Disks are a must and the backup copies must be encrypted. On to the practical portion. At rest, AES Encryption is a good choice and for the part that relates to data at transit..SSL or IPsec tunnels are considered too.

5-Use Firewalls

Firewalls are the first line of defense in protecting any type of organization. Installing Intrusion prevention system either host based or network based is referenced back to company’s size and budget.The most notable thing to mention here is to configure the firewall to operate in stateful mode.

6-Security Software

Install server-based security solution or end user-based especially at hosts that stores or transmits PHI or the ones that contain medical devices’ software


Ensure Compliance with the legal regulations in addition to Security frameworks,For example, HIPPA , ISO27001 , COBIT , NIST, and PCI -DSS . When it comes to HIPPA.. notifying the patients or the customers about what is the purpose of collecting every information about them is must procedure.

8-Periodic Risk assessment

Identifying the prospective threats, vulnerabilities, and exploits.Determining the likelihood, impact, and the remedies are major components.Accept risk after careful assessment of your budget.This includes the threats in the IT Environment and the natural threats like Floods,hurricanes,fire,tsunami …etc.

9-BYOD Management

Major security breaches happen and occur as a result of Mobile device breach.Mobile devices of employees must not be connected to the network infrastructure unless in strict situations

10-Security Training

Security awareness training is a must for all Health Departments especially those who are responsible for financial transactions and PHI Processing. Quizzes, questionnaires, and presentations are the choice. Humans are the weakest link in any organizations .Investing the time and resources to train them is considered as substantial process


Again those are streamlined guidelines that could help security professionals orchestrate their detailed and crafted plan

Share with Friends
Use Cybytes and
Tip the Author!
Share with Friends
Ready to share your knowledge and expertise?
  1. All good things but all obvious too
    and nothing more than surface information
    But when you don’t spell HIPAA correctly the credibility of the article goes out the window

    • That’s correct and thanks for notifying me about ” HIPAA ” …I always have this mistake between HIPAA and HCISPP ( Healthcare certified Information security and privacy practitioner )..I have those two acronyms a lot in my writings

  2. This should be common sense, but since it isn’t great article and information Motasem. I would add one bit of info and that would be penetration testing. Conducting a penetration test would reveal much information about the health agencies network, security footing and provide much needed updates to their security standing.

Comment on This

You must be logged in to post a comment.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge


We recommend always using caution when following any link

Are you sure you want to continue?