Hackers attack hospital information systems because that’s where the data is. Consider this along with the extra precautions mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and it’s clear that hospitals need to be incredibly vigilant about protecting their data.
To help focus efforts, here are 20 information security tips for hospitals:
1. Establish a security culture
Security policies are no good unless the employees are willing to protect the hospital and follow best practices. Leadership must set the example and help train employees.
2. Protect mobile devices
One of the features of electronic health records (EHRs) is that they don’t have to be used on desktop computers. It’s tempting to allow clinicians to access EHRs on mobile devices such as phones and tablets. But those devices are more vulnerable to theft and unauthorized access.
3. Maintain good cyber hygiene
Healthy habits are just as vital to hospital systems as they are to patients’ health:
- Uninstall unnecessary applications
- Change default configurations
- Wipe data from discarded devices
4. Set up firewalls
Rely on trained personnel to set up firewalls to protect hospital systems from external attacks. Firewalls can be based upon hardware or software depending on the size of the hospital system.
5. Install and maintain anti-virus software
Anti-virus software guards against malicious code that can compromise hospital systems. Viruses are a common way for hackers to gain access to hospital systems and are constantly evolving. Anti-virus updates are essential to security.
6. Backup your data
Hospital systems are vulnerable to disasters — fire, flood or hurricanes for example — in addition to malicious hacking. Backing up the data on a regular basis and keeping those backups securely stored is key to recovering from disaster.
7. Control access to protected health information
Determine who needs access to patient records and allow only them to access that data. Use audits to verify who is accessing what data. Don’t neglect to remove employee access of those who have been terminated.
8. Use strong passwords and change them regularly
Use secure password best practices such as:
- Use multiple passwords for different systems
- Change passwords regularly
- Use complicated passwords that aren’t easily guessed
- Use multi-factor authentication (which is required for e-prescribing systems)
- Allow password resets for users who forget their passwords to prevent written passwords left in vulnerable locations
9. Limit network access
Flexible networking tools can create inexpensive solutions for hospitals. They also create vulnerabilities. Wireless networks may be easy to set up, but they are vulnerable to unauthorized access if not using encryption.
10. Control physical access
Missing laptops or data storage devices are common sources of healthcare data breaches. These devices need to be kept in secure locations where unauthorized users cannot access them. Security policies should restrict their use outside of facilities to prevent loss.
11. Train staff
Employees are the weakest link in information security. They need to understand proper information security protocols and the consequences of not following protocols.
Assess your employees’ proficiency with information security and design training programs that fill in any gaps. And follow up with more training to keep employees engaged with information security.
12. Implement data usage controls
Use data discovery and classification tools to identify sensitive health data, monitor access, and protect it. These usage control tools can prevent employees from emailing it, uploading it to unauthorized sites or copying it to storage devices.
13. Monitor data access
Keeping track of which users are accessing healthcare data and resources helps identify vulnerable activities and create protective measures. Use monitoring to create audit trails so it’s easier to detect unauthorized access points.
14. Encrypt data
Encrypt healthcare data that is being transferred or stored to make it difficult (ideally, impossible) for hackers to interpret data even in the event of a successful breach. Decisions need to be made concerning what data is to be encrypted and by which methods will be used.
15. Mitigate risk from connected devices
Mobile devices are not the only vulnerability in hospital networks. Medical devices, security cameras and office equipment are often networked. These connected devices offer access points that could lead to patient data. Keep devices on separate networks and monitor for unauthorized access.
16. Perform regular risk assessments
Risk assessments will help understand the organization’s vulnerabilities. Only then can you anticipate security issues and secure hospital systems properly.
17. Evaluate security of business associates
Healthcare is all about sharing information now. Make sure your hospital systems are protected from unauthorized access if someone gains access to a business associate’s network.
18. Maintain software updates.
Outdated software is vulnerable to attack. Hackers can take advantage of older software versions without the latest security patches. It’s worth the time to take systems offline for software updates.
19. Create a recovery plan
Planning for an attack entails developing a plan for getting the hospital systems back online and protecting from another attack.
20. Establish policies for remote access of information
Technology allows healthcare workers to work from anywhere — not just within hospitals. The problem is that it creates vulnerabilities for health information. Policies need to define who can access healthcare information and what information they can access. The devices need to have appropriate security and tracking to protect data.
The U.S. Department of Health & Human Services (DHHS) offers detailed guidance for cybersecurity in healthcare. It’s good reading for all healthcare organizations. As they continue to be a desirable target for cybercriminals, hospitals must take a comprehensive and proactive approach to security to identify and mitigate threats before cybercriminals gain access to their valuable data.
