Constant Readiness When a Disaster Strikes

Readiness

March 2020 represented a critical shift in business operations for local and global companies. For many companies, it was just another day at the office – albeit you were working remotely versus coming to the physical office. Were you prepared? Was it an IT and cybersecurity scramble or were you appropriately equipped? The difference is derived from proper business continuity and disaster recovery readiness, communication, and continuous preparation.

HealthEdge understands the requirements needed to keep up in a fast-paced world. At a moment’s notice, things could change, whether it is a natural disaster, cyber-attack, or other unforeseen events that could have an impact on our ability to meet customer needs. HealthEdge prepares for the unexpected with Business Continuity Planning and Disaster Recovery to mitigate damage, minimize downtime, and reduce the impact on business operations.

Similar to the Global COVID Pandemic, HealthEdge ensures that our business processes, workforce, IT infrastructure and cybersecurity controls are ready for unexpected events – large or small. Our team identifies critical business functions, which includes systems, applications, and essential data that is needed for business operations to continue. Risks and vulnerabilities are assessed for critical business operations and considerations are made for the likelihood of various disasters and the potential impact of data loss or disruption.

Plans

Disaster Recovery and Business Continuity Plans are developed to outline how our teams will quickly recover, relying on backup and contingency plans and alternate work arrangement locations. These plans are tested and updated regularly to ensure they remain effective. While aligned with common themes and content, individual and custom product and facility-centric Disaster Recovery, Business Continuity and Emergency Preparedness Plans are maintained to ensure we are prepared based on geography and product group. The HealthEdge IT Security and Compliance teams maintain these plans. We augment internal efforts with external expertise to help ensure we identify and constantly mature the program based on emerging best practices and global threats. Copies are maintained in the HealthEdge Governance Repository for offsite backup purposes and are readily available should the need arise.

Testing

Team simulations help us to identify gaps or weaknesses in the plans, as well as ensure the plan is consistent with changes to business operations or IT infrastructure. These simulations and live tests occur among small teams, multi-offices and business products, or directly with customers. The ultimate objective is to stress test and be prepared – whether our workforce is located in a major metropolis with regional redundancy or in their village in India where local Internet and communications systems could have reliance issues.

Recent examples include:

  • Testing Key Leadership Response Times – Our team uses recent regional events, such as flooding, to determine how prepared Leadership, Human Resources, and IT are to account for and maintain communications with the workforce as the community recovers.
  • Testing Remote Access – Our team sends groups to work remotely to assess latency, communications system constraints or home bandwidth issues.
  • Testing Alternative Work Sites – Our team evaluates the potential impacts of destruction of physical office space and safely reroutes employees to an alternate location.

As the Boy Scouts motto says, “Be Prepared” since that is what our customers expect of us: safeguard their data, maintain high availability, and deliver as promised.

Education and Awareness

Employee awareness is key in ensuring everyone knows their role should a response be initiated. HealthEdge conducts regular training for employees who work onsite, hybrid, and remote. In addition to this training, we produce education alerts and messages to not only support the employees but also their families. We are accountable for ensuring our systems, networks and data centers are prepared, as well as the home environment of our employees and their families. Protecting the family and home is critical for a “family first HealthEdge”, but to also ensure they are prepared in the event they are called upon to primarily work remotely.

Getting Our Ducks in a Row When Disaster Strikes

We value the trust our customers place with our business and strive to always deliver service, even when the unexpected occurs. As with other facets of information security, business continuity and emergency preparedness is another critical way HealthEdge protects you, your members, and the entire HealthEdge family. It’s also another way we ensure our ducks are in a row.

 

 

Counteracting Healthcare Industry Cybersecurity Threats: Security Awareness for Everyone (SAFE)

healthcare cybersecurity threat awareness | HealthEdge

Here at HealthEdge, our cybersecurity strategy relies on a defense-in-depth approach, which means we rely on people, processes, and technology to ensure our security controls remain viable and constantly evolve. Of these three, the HealthEdge team, is the most formidable layer of cybersecurity. We count on our global workforce to stay informed, identify and report suspicious messages, and to understand and comply with our IT Security Policies. Our Chief Information Security Officer, Jerry Sto. Tomas says, “I am often asked how big our security team is. I respond with, ‘around 2,000 people.’ Each of us has a responsibility in security because the HealthEdge team is the first line of defense.”

The SAFE program aims to empower our team with:

  • Regular newsletters providing education on healthcare cybersecurity threat awareness and trends.
  • Cybersecurity alerts on real-time threats and how the workforce can help.
  • Comprehensive IT security policies.
  • Mechanisms to report suspicious messages.
  • Monthly internal phishing simulation tests and just-in-time training.
  • Annual training, role-based training, and continuous micro-training.
  • Cybersecurity best practice tips to implement in the workplace and at home.

Preparing the Team

With regular information newsletters and real-time security alerts, our team is always kept up-to-date on cybersecurity, regardless of their role at HealthEdge. Newsletters are sent out bi-weekly with cybersecurity news, tips, trends and communications about new security practices. Newsletter content is tailored to our organization with the objective of improving overall healthcare cybersecurity threat awareness both at work and home.

Identifying and Reporting

The goal of SAFE is to ensure everyone is able to identify and quickly report suspicious messages or activities. The Security Operations team analyzes every message that is reported as suspicious and sends the results back to the reporter. Sending the analysis results back to the reporter provides the reporter with confirmation of their ability to identify malicious messages or spam. On a monthly basis, phishing tests are sent out that simulate current phishing campaigns used by threat actors. Campaign attack techniques include domain and popular brand spoofs, QR codes, and suspicious links with requests for information, oftentimes with topics based on global security trends, cultural events or “the events of the day”. In addition to maintaining a low fail rate, the objective is to increase identification and reporting of suspicious messages. Those who fail are provided subsequent training to increase future awareness.

Administrative and Technical Controls

In addition to IT security policies, HealthEdge implements technical controls that monitor and enforce password policies and multifactor authentication. Network access is controlled, and principles of least privilege are enforced. This means that even trusted users with authorized network access are limited to only the access required to do their job. When access is granted, logs are collected from across the environment, which gives us the ability to monitor changes that could impact preservation of confidentiality, integrity, or availability. Our team’s cybersecurity habits, and best practices strengthen our administrative and technical controls; each component is critical for cybersecurity maturity.

A Holistic Approach

Our team prides itself on keeping up with the latest cybersecurity news and updates. We follow industry best practices, monitor third-party intelligence, implement technical and administrative controls, and most importantly we keep the cybersecurity discussion going. Our holistic approach allows our team to be prepared to protect the HealthEdge workforce network as the first line of defense, and also empowers them to practice good cyber hygiene at home. Security awareness for everyone, every day, everywhere.