- Keep software updated on user devices and IT infrastructure
- Implement phishing-resistant multifactor authentication
- Audit accounts and disable unused/unnecessary accounts
- Exercise due diligence when selecting vendors, including cloud service providers and managed service providers
- Implement basic cybersecurity training
- Develop and exercise incident response and recovery plans
Cybersecurity Guidance for High-Risk Nonprofits on the Heels of the Latest Healthcare Breach
With healthcare providers like Ascension hindered by cyberattacks, the Cybersecurity and Infrastructure Security Agency (CISA) offers guidance for these at-risk organizations.
In early May, Ascension, a major U.S. healthcare network, was hit by a ransomware attack that impacted hospitals across 19 states. This forced the organization to revert to “downtime procedures” – meaning paper records and other backup processes – to continue care. Patients were asked to bring printed notes on symptoms from previous visit summaries – and lists of current medications, including bottles with prescription numbers if available.
Weeks later, Ascension’s level of care has been routinely longer than usual or delayed entirely, as it continues the struggle to return its systems to normal. Though its main services are back up and running, questions remain about how much protected patient data has been breached, resulting in three class action lawsuits filed.
Though this attack was severe, it’s unfortunately become increasingly common, as healthcare and other large nonprofit organizations have become favored targets of cybercriminals. In 2023, a record-setting 725 large security breaches in healthcare were reported, beating the previous year’s 720.
To help combat this trend, CISA has released new guidance for high-risk nonprofits and other community organizations that may not have the resources they need. Among the recommendations in “Mitigating Cyber Threats With Limited Resources: Guidance For Civil Society”: