AArete Cybersecurity Checklist: The First Step in Protecting Your Organization’s Confidential Data
This is an AArete Cybersecruity insight
Recent cyberattacks and their debilitating impact have put business leaders on notice. The threat of cybersecurity incidents is real and inevitable.
For instance, in October 2023, Air Europa experienced a significant data breach, leading to customers’ financial information being compromised, including credit card numbers, expiration dates, and CVV numbers. In the same month, 23andMe, a biotech company, suffered a credential-stuffing attack, resulting in the theft of customers’ genetic data. September 2023 also saw several major breaches, including a ransomware attack on multinational technology company Sony, which led to the extraction of sensitive data. In the same month, Ontario’s birth registry confirmed a breach affecting approximately 3.4 million people, exposing healthcare data for mothers and newborns.
Throughout 2023, breaches at companies such as Forever 21, Duolingo, and Discord.io underline the evolving nature of cyber-attacks; they have spanned various sectors and firm sizes, highlighting their widespread and indiscriminate nature. The frequency of these attacks is increasing at an alarming rate. Blackberry’s Global Threat Intelligence Report shows that between June and August 2023, the number of cyberattacks more than doubled from the prior period – to 26 per minute! More recently, in February 2024, a cyberattack by a suspected nation-state on a major health-tech company significantly impacted pharmacies and healthcare systems across the United States. The direct and indirect financial costs are estimated to be in the billions, not to mention the knock-on effects of consumers not being able to receive health services in a timely manner.
The fiscal impact is escalating for all industries, especially for healthcare. IBM’s Cost of a Data Breach Report cites that in 2023 the average cost of a breach for the healthcare industry was $10.93 million, compared with an overall average of $4.45 million, and $5.9 million for financial services firms (which ranked second in terms of cost per breach).
One could argue that the number and complexity of transactions in the financial services industry are significantly higher than in the healthcare industry. Why, then, are breaches more costly in healthcare? This can be attributed to several factors:
- Managing and protecting PHI data is expensive.
- The sector’s rapid digital transformation, especially during the COVID-19 pandemic with the increased use of telehealth, has increased complexity in networks and the handoffs of data.
- Healthcare is a highly regulated industry, with stringent laws like HIPAA adding layers of compliance requirements, and the diverse and changing nature of health data adding to the cost.
- Critical infrastructure designations in healthcare also raise breach costs due to enhanced regulatory scrutiny and the need for robust response mechanisms.
- Many healthcare organizations still rely on legacy systems and “band-aided” infrastructure that have vulnerabilities.
In light of growing cybersecurity threats, healthcare leaders are faced with difficult financial and operational questions. How much should they invest in a cybersecurity infrastructure just to keep pace with defending against increasingly sophisticated cyber hackers? What will it cost to maintain the required level of constant vigilance: (planning, refining, and auditing cybersecurity strategies and tactics, and measuring their effectiveness)? How should companies balance these investments knowing that every dollar taken away from healthcare delivery puts pressure on already thinning margins and worsens rising healthcare costs?
AArete’s cybersecurity and data management practices help clients to make right-sized investment decisions in their cybersecurity function. Our customized identity and access management (IAM) solutions fortify your environment and shield it from unauthorized use while providing a frictionless user journey. We partner with leading cybersecurity providers and cloud vendors to help you establish best-in-class solutions for features like password management, security policy enforcement, reporting and monitoring, and identity management.
Our proven, comprehensive framework incorporates sophisticated threat detection and response strategies to help your organization plan for, defend against, and respond to attacks. We start with a rapid assessment of your cybersecurity readiness, recommending key investments in advanced threat detection and response technologies, comprehensive incident response planning, and rigorous employee training. We then implement right-fit platforms to improve your defense and resilience systems.
If you are a healthcare leader looking for a rapid, practical path to bolstering your defenses, review our actionable cybersecurity checklist, (below), a key component of our comprehensive framework.
AArete’s Cybersecurity Solutions experts can help you get ready and prepared for modern cyberwarfare.
Cybersecurity Checklist
Data Security
1. Data Encryption: Do you encrypt sensitive data that is in transit and at rest?
2. Data Backups: Are you regularly backing up important data and verifying the integrity of those backups?
3. Limiting Access to Sensitive Information: Have you implemented the principle of least privilege to ensure employees have access only to the data and resources necessary for their jobs?
Network Security
1. Securing Your Networks: Do you use Virtual Private Networks (VPNs) and encrypt Wi-Fi networks? Are you regularly monitoring network traffic for unusual activities?
2. Application Programming Interfaces (APIs): Do you have the proper security protocols and software in place to protect APIs?
3. Device Security: Are all network-connected devices using the latest operating system and protected by up-to-date security software? Are you updating new versions and patches as soon as possible?
4. Installing and Updating Security Software: Have you installed the latest antivirus, anti-malware and firewall solutions? Are they regularly updated?
5. Regular Software Updates: Do you keep all software and operating systems up to date with the latest security patches?
6. System Audits and Monitoring: Do you regularly audit and monitor systems for suspicious activities?
Organizational Measures
1. Risk Assessments: Do you conduct assessments to identify and assess potential vulnerabilities in your IT infrastructure? Do you regularly update your assessment to include new threats as they emerge?
2. Security Policies: Have you developed robust security policies, including password management, access controls, and data handling procedures?
3. Employee Training and Awareness: Do you regularly train employees on cybersecurity best practices and phishing awareness?
4. Incident Response Plan: Have you developed and regularly updated an incident response plan to ensure a fast and effective response to any security breach?
5. Disaster Recovery Plan: Have you created and regularly updated a disaster recovery plan so employees know their roles and responsibilities if a catastrophic event occurs?
6. Identity Protection and Access: Do you use sophisticated identity and access technology for safeguarding access to sensitive information and systems, including multi-factor authentication, role-based access controls or passwordless authentication methods such as biometrics, tokens/certificates or FIDO2 (Fast IDentity Online 2)?
7. Vendor Risk Management: Do you verify that third-party vendors comply with your cybersecurity standards?
8. Cybersecurity Insurance: Do you have cybersecurity insurance to mitigate the financial risk associated with cyber incidents?
9. Staying Informed: Do you keep updated on the latest cybersecurity trends and threats?
Meet the Authors
Managing Director
Robert Vitelli
Director