Cybersecurity has become a hot topic due to the upcoming presidential elections. Cybersecurity is not only vulnerable to politicians, but health care organizations as well. As healthcare organizations maintain patient health information to deliver higher quality for its patients, security becomes a bigger need. Health care organizations have established security programs to identify potential threats and implement processes to eliminate or mitigate the ability of these threats to cause damage. Security should involved not only protecting patient information, but the organization’s information systems as well which include networks, hardware, software, and applications. Threats can take form in human beings or environmental causes.
Top 10 Recommendations for Cybersecurity in Health Care
- Protect Yourself Through Firewalls:
All networks need a HIPAA-compliant hardware and software firewall. Firewalls restrict incoming and outgoing network traffic through rules and criteria as configured by the individual organization. A hardware firewall is installed between the organization’s network and the Internet to protect the systems from the outside environment. Meanwhile, software firewalls protects specific devices they are installed on from internal threats. Security Metrics Blog surveyed 52 healthcare professionals responsible for HIPAA compliance to see how they were doing with network firewall protection and found that only 18% use both hardware and software firewalls. In addition, 27% of those surveyed did not know which firewalls they use. After appropriate installation, management of firewalls and regular review of firewall rule and regulation changes is critical to keeping a healthcare IT system safe.
- Control Physical Access:
One of the most common ways data is breached is by losing a device. This can occur by accident or intentionally through theft, but every device should be regularly inventoried and be locked up so that only appropriate personnel will have access to devices. Limiting physical access also includes managing physical keys, securing down machines within locked areas, and limiting the ability to remove devices. Servers are protected in a controlled environment meaning it is protected from physical and environmental elements which can include temperature, water, and even fire. In many instances, there is also a security guard monitoring the area.
- Plan for the Worst (have tested regular backup and recovery system in place):
There comes a time in every healthcare organization’s history when disaster will strike. It could be a natural disaster where an earthquake, blizzard, tornado, or hurricane cause damage to the hospital. It could also be equipment failure which causes an electrical failure and shuts down power or human error which necessitates shutting down the EHR for many hours to fix issues. None of these scenarios can be predicted to occur with 100% accuracy but an organization is nonetheless asking for trouble if they don’t have a plan to deal with each and every one of them. The most critical element in this regard is to have a secure backup system. In the event of emergency, patient records need to be regularly stored in a second location to ensure that they are still accessible. These backups need to occur regularly and automatically to prevent human error and a mindset of “what’s the big deal if I miss a backup or two when nothing ever happens” to sink in for any staff member. Additionally, the backups must be housed in an off site location. In the event of a natural disaster which wipes out the main system, the backups must survive the same event. However, just because they live in a secondary location does not mean they should not be just as secure as the main system. If patient information is stolen off of the backups it is just as disastrous as if it is stolen off the main system. Lastly, there must be protocol for transitioning between the primary and secondary system. This will include assessing the various levels of damage possible and coming up with a plan for each one. If the hospital is on emergency generator power that may necessitate a different reaction than if the EHR is temporarily taken offline because of newly discovered software errors. Thorough risk analysis must take place for every imaginable scenario to ensure that the organization survives each.
- Use and Update Antivirus Software:
The use of antivirus software is designed to reduce the threat from viruses. Viruses are one of the easiest ways security will be compromised and using antivirus software helps minimize vulnerability as well as is one of the most affordable ways an organization can protect itself. Although antivirus software is not full proof in detecting all unusual activity, it still helps reduce risk of flaws especially when organizations continuously use updated protection. Antivirus software works with “signatures” and only respond when a virus comes into your network.
- Have a Communication Plan:
There is no use hiding your response plan within an employee handbook. Organizations must have a comprehensive plan that outlines how and when information is disseminated to staff. Trying different avenues of communication is the key to reaching the largest amount of employees possible. Newsletters, announcements at staff meetings, reminders in break rooms and cafeterias, blog, vlogs, podcasts, screen savers displaying data security and privacy messages can be effective ways of communication. Remember that it is not a plan unless staff members know their role, and can execute their portion of the plan in a timely manner. Providing ongoing education, as outlined below, will allow the plan to be a living document and policy. This ongoing education will remind employees that they have a vital role in securing data. Try to have employees view it from their home life. How would they want their own data to be protected? By having a communication plan, you are demonstrating value around an organization’s data.
- Establish a Security Culture/Employee Education:
No matter how competent an organization’s IT department is with regards to security and privacy they are still heavily dependent on every other staff member to do their job effectively. The majority of people in any organization are of the belief that they will never accidentally put patient information at risk even though many do exactly that on almost a daily basis. Constant education is needed to impress upon staff that the actions they take while at a computer can have real and severe consequences for themselves as well as the organization. Training must begin at orientation for new staff as well as should involve annual updates for existing staff members. Leadership must be willing to set an example for the people under them by always practicing good habits and continuing to hold others accountable for doing the same.
- Encryption (of Endpoint Devices and Sensitive Data):
Encryption is taking something and making it appear meaningless. Even with laws such as HIPAA that requires patient information to be encrypted by organizations, once security has been compromised where violators have access, encryption becomes obsolete. Another large vulnerability to not encrypting devices and data is violators will try not necessarily find health information on patients, but try to sell it in the dark Web. Patient information sells up to five times the amount of individual’s credit card information. On top of this, many violators will try ransomware where victims will have to pay the perpetrators to gain access to their own information and decrypted. Encryption should be a priority for all healthcare organizations and with the assistance of good IT support, organizations are left less vulnerable.
- Control access to confidential electronic health records:
With the spread of EHRs, healthcare systems have the opportunity to improve coordinated care for patients and provide easier, continuous access to their health information. HIPAA regulations for securing confidential patient EHR are meant to keep private patient information safe from being inappropriately accessed/hacked, stolen or lost. To avoid security breaches, healthcare IT staff must remain up-to-date about tools at their disposal to adequately protect their patients’ EHR. Access control lists dictate to the firewall what you trust coming into or leaving your network, accessing your network’s data. When no access control lists are configured, all network traffic is free to come and go. In addition, setting and resetting passwords and PIN numbers, encryption of transferred and stored information, as well as auditing network trails all serve as other methods to increase EHR security. As a tradeoff, it’s important to remember that large rule sets within access control lists can often negatively impact the network’s performance, slowing down workflow. Network administrators will also need to hear and address the relevant needs and complaints from staff members about inability to access files they should have access to, in order to perform their job duties.
- Perform regular security and risk audits:
Another method of security that we recommend implementing for Moyen Sante Medical Center’s EHR is the ongoing use of security audits through the utilization of audit trails and audit logs. We will avoid the technical components of all that an audit entails and briefly summarize some of the benefits that the organization will capitalize upon when security audits become an organizational standard.
The first benefit that is realized immediately upon the implementation of security audits, when the audits are main known to the organization, is that the organization will see a reduction in inappropriate access. Audits are one step in the process of creating a culture of accountability. This is due to individuals changing their behavior when they are aware that they are being monitored. Additionally, and in the same vein, audits create a trail that may be followed when malicious use does occur that may be accessed when conducting investigations.
Another benefit that will occur for Moyen Sante is retroactive in nature but will allow for the security of the EHR to continually be improved. Security audits allow the organization to identify malicious attempts to access patient records and analyze the way in which the attempted or successful access occurred. This knowledge allows the HIT staff to bolster the EHR security systems to diminish the likelihood of that form of unwarranted access occurring again in the future. Further, a malicious access attempt does not have to occur to identify weak points in the EHR security. Some audits will reveal weak points in security simply through conducting the periodic assessments.
Lastly, aside from the accountable and reliable culture pertaining to electronic patient health data that occurs when a health system performs security audits, the organizational leaders who are developing security measures around HIT will need to consider security audits due to the fact that they are compulsory. The HIPPA security rule mandates the following provisions;
“Section 164.308(a)(1)(ii)(c) – Information system activity review (required), which states organizations must “implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.””
“Section 164.312(1)(b) – Audit controls (required), which state organizations must “implement hardware, software, and procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.””
10. Have a mobile device policy:
In today's world of smartphones, laptops, tablets, etc., all the information we could possibly need is right at our fingertips. In the healthcare industry that information includes the personal information of thousands of patients via Electronic Health Records. Now we have already mentioned the importance of securing these records, so why do we need to address mobile devices separately? This is because mobile devices contain their own set of security risks. Some of these include:
- The mobility of the devices which make them easy to lose as well as susceptible to theft
- If this happens, you need to ensure that the device is secure so as to prevent unauthorized use; this can be done via password protections, access controls, and other authentication requirements
- Because mobile devices can be used almost anywhere with a wireless internet connection, you must:
- Pay careful attention to your environment - such as the people around you - before you view private information on your mobile device
- Be wary of transmitting any unencrypted information via a public or unsecure wireless network
Taking these risks into consideration, if you can avoid transporting data with mobile devices, then you should do so. However, in today's wireless world, we must account for the fact that many people are dependent upon these devices. Therefore, if you must transport sensitive information via your mobile device, you must always ensure that the data is encrypted. A crucial rule of cybersecurity is: if you are unsure whether or not transmitted data would be encrypted on a particular mobile device, do not use it.
Developing and enforcing a mobile device policy for your organization that emphasizes this rule is essential. No longer is private patient information located in a single, secured facility; now it can be found on a mobile device, small enough to fit inside your pocket, and be taken home with you. It is said best by healthit.gov: "Those who have responsibility for protecting patient information must recognize that this responsibility does not end at the office door."
One of the biggest challenges of healthcare cybersecurity is balancing the cost of security with the need for security. Organizations are still unclear on how to measure the level of vulnerability its network is in and therefore is challenged with how much or how little it needs to invest to reduce risk.
No comments:
Post a Comment