Corban Technology Solutions Journal
New Canadian Cybersecurity
for small and medium business, including private health clinics
Originally posted on 20190813, with subsequent updates
Much like the practice of medicine, cyber security is an evolving discipline. For this reason, there is no single "correct" approach that will protect your clinic from all threats. And, like medical specialists, there is definitely a place when addressing the complex field of cyber-security in healthcare for IT security specialists to assess your environment, provide proactive support and remediation assistance in order to minimize your risks.
But there is much that your healthcare clinic or small business can do.
Yesterday, the Federal Government launched a voluntary certification program called CyberSecure Canada, designed for small and medium organizations. It is based on a new set of standards, published in March (updated to version 1.1 in June 2019), by the Canadian Centre for Cyber Security, (CCCS), an organization formed out of operational cyber security expertise from Public Safety Canada, Shared Services Canada, and the federal government communications establishment.
We have reviewed these standards, and believe that, whether you choose to certify or not, these recommendations are so helpful that every private health care clinic should consider adopting them as a baseline.
Additional measures, of course, may be needed to meet provincial and federal health cyber-security requirements. But what we particularly like about these standards is that they adhere to what the authors call the "80/20" rule. I.e., adopting them will give you 80% of benefit, from 20% of effort. Recommended controls are practical, and are focused on making a significant difference towards protecting small and medium sized businesses from cyber-threats.
Taken as a whole, these standards may appear a bit daunting. And yes, you will likely need a security specialist to help review your clinic's current state and implement effective measures. That should not stop you from getting started. While all of the measures are important, begin by taking one step at at time., and focus on what you can do, right now. To help with this, we will explore individual areas of these controls in future journal posts, and include tips that are especially applicable to health care clinics.
There is, however, some urgency towards adopting these measures now. With the re-emergence of extortion in recent months as a serious cyber-security risk, please make sure to read our update on ransomware, and, if you have access to it, our article, published last week for physicians across Canada in the Canadian Healthcare Network.
In the meantime, please take a look at the CCCS standards mentioned above, and also found here. You may want to consider updating or drafting your clinic IT security policies with them in mind.