1. Get the basics right: keep your cyber security policies and procedures simple and educate your staff
Your cyber security policies and procedures are documents that detail how you will implement your cybersecurity strategy at a practical level, and outline the activities and expectations for your workforce. For busy healthcare employees who are focused on delivering care, your policies and procedures won’t be read if they can’t be easily consumed.
Communicating regularly about policy and procedure updates keeps your workforce engaged and reminded of their role in securing the organisation. In an agile workforce environment, consider supplementing your formalised policies and procedures with regular updates at team meetings, electronic dashboards, posters in staff rooms or organisation wide communication applications.
To inform the development of your policies and procedures, we recommend that you leverage external legislation documents such as the My Health Records Act and Privacy Act (the My Health Records Rules and Regulation), Australian Privacy Act 1988, and the Data Privacy Amendment, Notifiable Data Breaches Act 2017.
Legislative documents can help you understand government-directed cyber security guidelines, key focus areas for reporting and the potential consequences of experiencing a cyber incident.
2. Have a plan: define, communicate and test your cyber security incident response plan
A cyber security incident response plan contains repeatable procedures, which can be actioned in the event of a cyber security incident. As a minimum your response plan should:
- Include clearly defined communication pathways and responsibilities.
- Detail an incident response team which brings together multiple functions to respond to the incident.
- A schedule for regular review and updates to the plan by the Incident Response Team.
- Describe how you will regularly test your cyber incident plan at every level. You can do this by running ‘cyber security simulations’ which allow you to identify gaps in your plan and understand how your healthcare organisation react toa cyber threat.
- Detail how it is aligned to the organisation’s wider business continuity plan.
A business continuity plan aims to maintain business functions or quickly resume them in the event of a major disruption, whether caused by a fire, flood, cyberattack or terrorist attacks. Both plans need to be regularly tested and updated to defend against evolving threat landscapes.
Figure 2 explains how the cyber incident response plan is developed and applied across four key phases of incident response management:
3. Be vigilant: maintain an effective cyber risk assessment and mitigation process
Risk management plays a big part in cyber security. Being proactive and adopting an effective risk assessment and mitigation approach is crucial for getting ahead of cyber criminals. This means driving a regular cadence of threat detection, analysis and reporting that can help your organisation surface trends and identify vulnerabilities in your defences. It’s also important to be aware of the regulatory landscape and your reporting/compliance requirements, and to comply with them appropriately.
Define clear cyber security measures that will supplement your reporting process, which should be driven by your leadership across your healthcare organisation. Not only does it measure the effectiveness of the organisation’s cyber security policies and procedures, it can also lead to developing more effective controls.