COI Report –
Part VIIPage
236 of
425 (a) Password management policies were not properly implemented b) Incident reporting policies were not followed c) Security hardening policies were not properly implemented (
e.g. Remote Desktop Protocol access was not disabled, and there were patching delays and d)
User-ID management policies were not properly implemented (
e.g. unused or dormant accounts not disabled.
686. As part of enhancing the public healthcare sector’s
security posture, these gaps must be addressed.
687. To achieve this, CE, CSA has recommended “
deliberate efforts to improve training and adherence to SOPs, as well as raising the level of awareness and cyber hygiene of the healthcare sector’s personnel”. The Committee agrees and recommends the following a) Training and Table Top Exercises (“
TTXes”). There should be greater emphasis on training and TTXes for IT staff so as to
build familiarity with policy, and to reveal weaknesses and gaps in practice. One of the greatest security assets is an organisation’s own employees, but only if they have been properly trained to comply with security policies and to identify potential security problems.
46
The benefits of training and realistic TTXes will be discussed further in section 38 (pg 269) below, in the context of improving incident response processes. b) Audit and compliance. Regular audits and compliance checks are also important. They
help to identify noncompliance, and if
46
Network and System Security (John R. Vacca) (Elsevier Inc, 2010) (“
Network and System Security”) at p.
