Healthcare cybersecurity has become one of the significant threats in the healthcare industry. As a whole, IT professionals must continually address healthcare data security issues because of specifics outlined in the Health Insurance Portability and Accountability Act (HIPAA) laws as well as the ethical commitment to help patients and the damage that healthcare security breaches can have on their lives.
Electronic health records, also referred to as EHRs, contain a host of sensitive information about patients’ medical histories, making hospital network security a primary IT concern. EHRs make it possible for physicians and other healthcare professionals, as well as insurance companies, to share essential information. This makes it easier to both coordinate care and facilitate insurance matters. Never before have medical professionals been able to collaborate in such dynamic ways to meet patients’ needs.
However, the interconnected nature of modern healthcare creates IT security risks — namely that consolidating so much essential data in a field that nearly all people use makes it a conspicuous mark for hackers and cybercriminals. In fact, the importance of data security in healthcare has never been more pronounced. Now more than ever, medical organizations must be vigilant in establishing safeguards against online threats, which is why it’s imperative to have a solid understanding of the risks and protections available.
Due to the sensitive nature of EHRs, as well as the fact that healthcare providers must comply with the privacy and security rules outlined in HIPAA, reliable storage and backup data solutions are crucial to keeping your company in compliance and maintaining your leading reputation in the industry. The known threats to electronic health record security are at the forefront of regulatory policy — HIPAA requires healthcare providers to keep their patients’ data secure, so it’s critical that EHRs are stored, transmitted and disposed of appropriately and according to regulation.
While this may seem straightforward, healthcare data security presents many challenges, both common to the IT field and unique to hospital cybersecurity.
Why Are Healthcare Information Systems a Target for Security Threats?
The paradox of shared healthcare information is that it simultaneously makes patients safer while also putting them at risk. The larger the network becomes, the more useful it is in providing top-quality medical care, but its data also becomes more attractive to criminals.
Healthcare cyber threats are a major problem for a few reasons:
- In addition to a patient’s records, medical provider networks can contain valuable financial information.
- Since there are very few people who do not see healthcare providers, nearly everyone’s personal information is available in some form.
- The interconnected nature of EHRs means hackers have access to the data that has collected under patients’ names for years. Sharing patient information is integral to providing the best possible treatment to patients, but that same sharing also makes networks extremely valuable targets.
Often, in cybercrimes, the attacker’s goal may be to gather information — either to sell or for their personal use. With the content available through electronic health records, a stranger could use insurance information to set up appointments, undergo expensive medical procedures or obtain prescription medication under the patient’s name. In these cases, the patient or healthcare organization may be held responsible for the charges or medications.
In other situations, healthcare organizations have faced more direct attacks. Once the hacker has access to a network, they can install ransomware to encrypt files or lock essential services until the organization pays a specific ransom. Healthcare is such a time-sensitive field that organizations often have little choice but to pay the ransom and hope the money can eventually be recovered.
Although less common, network-linked devices can also be manipulated to administer incorrect treatments or otherwise change a machine’s function. These developments put patients’ lives in danger as a hacker could use this access for terrorism or hold a health provider ransom. In medicinal situations, where the change of a decimal or a minor change in dosage is the difference between life and death, healthcare providers cannot afford these potential threats.
Regardless of the hacker’s intentions, it’s easy to see why network security is so important.
What Are Common Healthcare Security Threats?
Unfortunately, many healthcare security vulnerabilities can compromise patients’ data. Without careful oversight, electronic health records — as well as other valuable information — can quickly fall into malicious hands.
When looking at potential threats, consider:
- Staff: Employees have easy access to patient files. While the majority won’t abuse this power, there’s no guarantee some won’t steal sensitive information. Criminals can use this type of information in identity theft, but it can also be used to intimidate or even blackmail people. There are multiple ways in which staff can steal records. In some cases, employees access confidential financial documents and use patients’ credit card numbers to commit a series of fraudulent purchases. Other workers have been found to steal face sheets, including demographic and social security information, which can then be used to commit a variety of crimes.
- Malware and phishing attempts: Sophisticated malware and phishing schemes that plant malicious scripts on a computer or steal login credentials can compromise an entire system. One of the most challenging issues dealing with malware is that it only takes one seemingly-authentic link to introduce a nefarious cyber presence into your network. It’s essential to train staff to recognize common phishing attempts. One common scam is to have emails from authentic-looking sites request login information — something reputable companies never ask through an email. Once a user provides that information, the hacker on the other end can log in to the system. Different types of viruses will mine records-related data and automatically send it back to the original host or leave a backdoor entranceopen for later.
- Vendors: Healthcare providers often work with vendors without assessing the accompanying risk. For example, if a hospital hires a cleaning company, its employees might gain access to computers. While patient information should be locked in ways that the average employee cannot view, it can be difficult to safeguard all points of access since cleaning and maintenance are integral to maintaining a healthy work environment.
- Unsecured mobile devices: Healthcare facilities that allow mobile logins don’t always require the devices to meet security standards. This leaves their networks vulnerable to malware and hackers since all of the organization’s planning and security do not influence staff communication devices. This issue is compounded once staff disposes of the equipment in an upgrade — network information or passwords might still be accessible, making a natural access point for criminals. Unless the organization sets strict guidelines or bans user devices altogether, there is little that employers can do.
- Lost and stolen mobile devices: In much the same way, lost or stolen devices represent an enormous risk. Any mobile device used to access a facility’s network becomes a liability as soon as it is lost or stolen. Once it falls into the wrong hands, the user can easily access the system using old or stored login data. Once a criminal has access to the network, it can be challenging to detect their presence or reseal the breach.
- Online medical devices: The security of online medical devices is often lacking, making them easy targets for hackers. There was a time that tools such as infusion pumps only provided information to the doctor and patient involved. However, as the Internet of Medical Things (IoMT) continues to grow, these devices are designed to export the information to external sources and otherwise interact with the world outside the doctor’s office. This data could be intercepted or manipulated, creating a host of issues. Moreover, hackers could gain access to manage most items connected to the network, including how the machines function.
- Unrestricted access to computers: Computers that aren’t in restricted areas can easily be accessed by unauthorized personnel. If these open computers are connected to sensitive patient information, unauthorized staff or others in the area could quickly find damaging information. In other cases, successful phishing attempts on general-access computers provide a gateway for hackers into more sensitive areas of the network. Be sure any computer that holds patient information is placed in a secure location.
- Inadequate disposal of old hardware: It’s easy to believe that once you’ve deleted information, you no longer have to worry about people accessing it. But when users improperly dispose of hard drives, old terminals and other hardware used to access a network with EHRs or credentials, that information is well within a criminal’s grasp. Well after drives have been deleted — and even reformatted — it is possible to rescue this information, meaning anything that the user saved is still vulnerable.
How Can My Employees Address Data Security Issues in Healthcare?
Healthcare industries are not alone in cyber defense. Small businesses have been trying to find answers to cybersecurity issues for years, and one of the most effective methods is to involve all employees in keeping the network safe. Specific attacks and countermeasures will continue to evolve with technology, but there are general employee guidelines that can help to deter cyber criminals.
A few critical ways you and your employees can prevent cyber threats include:
- Educating Employees: Helping employees understand the role they play in cybersecurity and the impact it can have on patients’ lives fosters an atmosphere in which security is valued and respected. Regular briefings and communication on the state of the organization’s security reiterate the emphasis the organization is placing on cybersafety. Attending staff training sessions and making cybersecurity a regular topic in meetings could also help drive this message home.
- Establishing Procedures: Create a plan that outlines specific protocols for dealing with information and networks — both physical and virtual — and make sure they are followed. By explicitly expressing the expectations, the process becomes standardized, allowing more comprehensive oversight for network security monitors. Developing appropriate penalties for failure to follow the procedures not only discourages inattentive behavior that may threaten your ability to stay in compliance with HIPAA but also underscores the value you place on keeping patient information secure.
- Require Software Updates: Cybercriminals often take advantage of holes in outdated software or other unsecured access points. To combat this, force software updates on machines, utilize two-factor authorization and automatically institute monthly password updates that require characteristics of a “strong” password. You can help your employees out with this by automatically setting company machines to periodically require such changes so that employees only have to come up with a new password or click to allow updates. Once again, this can be incredibly difficult to enforce on staff personal devices, so educating employees on the importance of updates is crucial.
- Set Strict Personal Device Regulations: Healthcare providers should establish strict protocols regarding the use of mobile devices, as well as the disposal of hardware that has contained sensitive information in the past. Mobile device management (MDM) software allows your IT administrators to secure, control and enforce policies on tablets, smartphones and other devices, ensuring employees don’t break significant policies, and your data stays safe.
What Should You Do If There Is A Security Breach in Your Healthcare Organization?
Maintaining a secure network may seem like a lot of work, but managing reports after a cyber breach will be at least as much work — and that work is in addition to your responsibility to correct the area that led to the violation in the first place.
If you know that your patient information may have been violated:
- Report the Breach: If you experience unsecured or compromised network activity, you must report this to the U.S. Department of Health and Human Services, though reporting times will differ depending on the number of people affected by the breach.
- Share Information: Even before you become a victim, help your patients recognize signs of fraud, including unrecognized medical bills and unsubstantiated claims from insurance providers. The Federal Trade Commission (FTC) provides detailed information you could pass along to any interested patients, including their rights under the Fair Credit Reporting Act (FCRA) and how to proceed with any claims.
- Reexamine Your Network: If an attacker gained access to your organization’s network, you’ll need to investigate the incident and secure any weaknesses that allowed threats. This is a great time to enlist network professionals who can find the current gap as well as assess for future problems and create safeguards against future attacks.
How Can Healthcare Organizations Minimize Security Threats to Information Systems and Networks?
Fortunately, it’s possible to minimize vulnerabilities in healthcare computer systems. This involves putting a robust cybersecurity system in place that covers the entire network, including cloud-based storage.
All data should be encrypted so third parties cannot access information during transmission or when in storage:
- Understand Your Network Map: Utilize technology that provides an overview of the devices and storage on your network. In this way, you can see exactly what information is vulnerable in which ways, and you’ll know when new or unauthorized devices have joined the system. This layout will also help you establish the access and restrictions for each device on the network, cutting down on inappropriate staff conduct.
- Update Your Software: Be sure all software and operating system information is up to date. These updates include critical patches that discourage potential cybercriminals who jump on previously-found weaknesses in software. If you do not utilize the proper software updates, criminals can still take advantage of the holes left behind by earlier versions.
- Virtual Private Network Encryption: Encrypting your network connection is a great way to enhance network privacy and block potential hackers. A Virtual Private Network (VPN) encodes your data so that other viewers cannot see what goes out or comes in on your computer. So even if they are monitoring your connection, they would not receive anything unless they already had access to your computer.
- Conduct Regular Audits: System administrators should conduct regular audits, and there should be two-step authentication in place that requires anybody looking to adjust information or enter new data to verify their identity. All users should be required to create strong passwords and change them after a predetermined number of weeks. Access credentials should also be reviewed regularly to ensure previous or transferred employees do not have access to patient data.
- Set Strict Access: Rather than thinking solely about what you need to restrict, consider data from this viewpoint: What do certain employees need to access to do their job? This establishes a context in which the minimum amount of information is available, cutting the possibility for staff misuse.
- Think Like a Hacker: By understanding the basics of how a cybercriminal manipulates a network, you will be in much better position to impede their efforts. While it may be difficult to account for this without a background in healthcare data security measures, this crucial step will highlight any potential gaps in your plan.
- Use Professional Services: Though there are many ways health organizations can limit potential threats, your area of expertise is utilizing information to help patients, not managing data security measures in healthcare. By assigning network security to a specialized outside agency, you receive professional network safety and support, allowing your staff to focus more directly on medical-related tasks.
How Can Healthcare Organizations Improve Data Security?
Coming up with a comprehensive plan that will simultaneously address all issues can be daunting. There are so many moving parts and unseen factors that it can be difficult to know where to begin. Many government healthcare agencies provide building blocks to help conceptualize the process.
As you are considering your data security, be sure to:
- Consider All Phases: While cyber crimes are a clear danger, it’s important to remember that records theft can happen at any stage in the recordkeeping process. Because of this, it’s crucial to develop technical, administrative and physical safeguards that all act as a sort of protection against record theft. The technical aspects of security can prevent inappropriate access to computers and potential backdoor setups. Administrative overview — such as the handling of training materials and how to ensure terminated employees no longer have access to the network — establish safeguards against employee misuse. Meanwhile, adjusting how records are physically handled as well as device locations cut down opportunities for abuse as well.
- Use the Crosswalk: Consider the HIPAA cybersecurity crosswalk, which links each HIPAA security rule to a corresponding National Institute of Standards and Technology (NIST) cybersecurity category. Using this framework, you’ll be able to address HIPAA security concerns through the information provided by NIST, ensuring alignment and compliance with all regulations.
How Can a Health Organization Handle This Much Security?
Securing a network can seem like an overwhelming — perhaps even impossible — task. Not only must all avenues be considered when forming a plan, but you must find a way to provide substantial maintenance to keep systems from becoming outdated by the latest hacking methods and stay in compliance with renewed regulations.
Despite these difficulties, interconnected networks of patient information will continue to grow and incorporate even more of the medical field. The results of information theft are too great to risk, making network security a principal goal of any healthcare organization.
To learn more about security for healthcare, contact the team of experts at Consolidated Technologies, Inc.