Best Practices for Preventing Healthcare Cybersecurity Breaches
Healthcare cybersecurity breaches can be devastating, but there are resources available to help you prevent cybersecurity attacks and develop best practices.
Hospital officials know the importance of preparing for healthcare cybersecurity breaches, not just for HIPAA compliance but also to avoid the costly disruptions and damage that can be caused by cyberattacks.
Unfortunately, healthcare organizations typically have large computer networks holding vast troves of sensitive data that need to be accessed by many employees in multiple locations. These networks run software from third party business associates and usually connect with dozens of IoT devices at once.
And every hospital works within a larger ecosystem, requiring employees to communicate and exchange data with a wide range of outside players. A recent attempt by the Health Care Industry Cybersecurity Task Force to diagram the healthcare sector shows the complexity of hospital environments.
I doubt this visualization makes officials feel any better.
But the task of preventing healthcare cybersecurity breaches is not insurmountable. For starters, you don’t need to go at it alone. There is a large, inclusive community of healthcare cybersecurity professionals out there willing to help out their similarly-burdened peers.
Below we look at some online resources offering guidance and healthcare cybersecurity best practices, then run through a list of tips to prevent, mitigate and respond to cybersecurity attacks.
Healthcare Cybersecurity Resources
The Taskforce responsible for making your head spin with the above diagram also released the Report on Improving Cybersecurity In The Healthcare Industry this year, which listed several organizations hospital officials can reach out to for help and resources. Those groups are listed below:
- The Healthcare and Public Health (HPH) Sector Critical Infrastructure Protection Partnership. This group heads a public/private sector partnership to protect the HPH Sector from all hazards, including cyber attacks.
- The HITRUST Alliance. This not-for-profit organization works with public and private leaders from healthcare cybersecurity and information security organizations.
- The National Health – Information Sharing and Analysis Center (NH-ISAC). This membership organization offers healthcare cybersecurity best practices, cybersecurity breach information and more.
- InfraGard. InfraGard is a partnership between the FBI and the private sector.
- The US Computer Emergency Readiness Team (US-CERT). This group provides information to the public and private sectors and publishes alerts about various cybersecurity issues.
- The Industrial Control Systems Emergency Response Team (ICS-CERT). This group coordinates among federal/local governments and the private sector about cybersecurity best practices, vulnerabilities, data breaches and other incidents related to industrial control systems (like medical devices).
- The DHS’ National Cybersecurity and Communications Integration Center. We’ve written about the benefits of the HCCIC in the past.
First Steps for Preventing Healthcare Cybersecurity Breaches
In 2015, the healthcare sector was the victim of more cyberattacks resulting in data breaches than any other critical incident sectors. Ransomware specifically has become a growing threat since 2016, and Campus Safety has reported on how numerous hospitals responded to ransomware attacks.
More recent data has also been discouraging: One 2017 survey of healthcare providers found 78 percent experienced email-related cyberattacks over the previous 12 months.
Under HIPAA’s Security Management Process standard (§ 164.308(a)(1)(i))), covered entities must “implement policies and procedures to prevent, detect, contain, and correct security violations.”
The standard’s Risk Analysis specification requires covered entities to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a) [(the General Requirements of the Security Rule)].”
Obviously there’s a bit to be interpreted under that rule, like the definitions of “sufficient”, “reasonable” and “appropriate”.
But healthcare entities can start by applying the same high-level risk management framework they use for physical security to the cyber space. Here’s the DHS’s framework featured in its 2013 National Infrastructure Protection Plan. As you can see, they use the same risk management strategies for physical, cyber and human security.
17 Healthcare Cybersecurity Best Practices
Healthcare entities need to develop an organization-wide framework for managing data in a secure way. Once a framework has been established, it should be reviewed frequently in compliance with HIPAA and to make sure it aligns with contemporary cybersecurity best practices to put your organization in the best position to detect and prevent data breaches.
The American Health Information Management Association (AHIMA), a professional association for health professionals involved in health information management, recently released 17 steps to creating a plan for cybersecurity attacks. They are listed below:
- Conduct a risk analysis of all applications and systems. Any and all information, applications and systems stored by your healthcare organization could be compromised and must be addressed by your cybersecurity risk assessment.
- Recognize record retention as a cybersecurity issue.
- Patch vulnerable systems.
- Deploy advanced security endpoint solutions that provide more effective protections than standard antivirus tools.
- Encrypt any work stations, laptops, smartphones, tablets, and portable media and backup tapes.
- Improve identity and access management. Policies to achieve this could include password standards, locking users out of systems after failed login attempts, using two factor authentication, restricting concurrent logins, implementing time-of-day restrictions and education.
- Refine web filtering (block bad traffic).
- Implement mobile device management.
- Develop an incident response capability. You can do this by creating cybersecurity attack plans, educating a data breach plan and conducting drills.
- Monitor audit logs to selected systems (you could outsource this task).
- Leverage existing security tools like Intrusion Prevention/Detection Systems.
- Evaluate current and potential business associates (per the HIPAA Security Rule).
- Improve tools and conduct an internal phishing campaign to teach employees what “red flags” are in emails.
- Have an outside cybersecurity firm execute technical and non-technical evaluations.
- Prepare a ‘State of the Union’ presentation with your healthcare entity’s cybersecurity leaders. You should be prepared to answer the following questions:
- Where are we compared to similar healthcare organizations?
- Who’s in charge of our cybersecurity program?
- How are we working to reduce the risk of a cybersecurity attack?
- How and when will the board be notified of a healthcare cybersecurity breach?
- Do we have cyber insurance?
16. Apply a ‘Defense is Depth’ strategy. Review access control protocols, evaluate security policies to make sure they incorporate current cybersecurity best practices, review audit logs regularly, consider your healthcare entity’s cybersecurity attack response capabilities and conduct desktop drills.
17. Detect and prevent intrusion. Monitor your hospital network for nefarious activities with anomaly detection or signature-based methods. Intrusion detection systems can make reports and give trends that could indicate a cybersecurity attack or breach.
Key Takeaways for Healthcare Cybersecurity Officials
Preventing healthcare cybersecurity breaches is hard work, but officials can start with the physical security frameworks already in place, then get into the weeds of specific cybersecurity best practices (the cybersecurity resources listed above are great places to start!).
Many recent data breaches and reports within the healthcare industry show the danger of not preparing for cybersecurity attacks. They also exposed the need for many healthcare organizations to take more proactive steps toward ensuring they’re ready to respond to a breach.
It takes significant time and resources to evaluate and patch vulnerabilities, so do yourself a favor and educate yourself with all the resources available to you!