Healthcare Information Security: The Top Infosec Considerations for Healthcare Organizations Today
28 healthcare and information security professionals provide tips for securing systems and protecting patient data against today's top healthcare security threats.
Healthcare organizations face numerous risks to security, from ransomware to inadequately secured IoT devices and, of course, the ever-present human element. Coupled with HIPAA and other regulatory requirements that make securing protected health information (PHI) paramount, healthcare organizations have no shortage of serious security considerations that must be adequately addressed to ensure patient privacy and safety.
To find out what security considerations are weighing heaviest on the minds of healthcare security pros, we reached out to a panel of healthcare executives and security professionals and asked them to weigh in on this question:
"What are the top 3 information security considerations for healthcare organizations?"
Meet Our Panel of Healthcare Executives and Security Professionals:
Read on to discover what our experts had to say about the most pressing security considerations are for healthcare organizations today.
David Finn, CISA, CISM, CRISC, is a healthcare IT advisor with ISACA and Health Information Technology Officer for Symantec. David serves on the CHIME Board of Trustees and is vice president of the Primary Care Innovation Center in Houston. In the past, he served on the national Board of HIMSS and on ISACA’s Professional Influence and Advocacy Committee (PIAC).
"I am frequently asked by CIOs and CISOs in healthcare either 1) 'What should we do first?' or; 2) 'Now that we have that done [insert name of a security technology], what do we do next?' The answer is..."
“That depends.” It depends because the days of point solutions are over. You can’t solve point security problems with individual point solutions. You have to have a cyber security platform (it started with ERP on the business side and then the EHR on the clinical side). A ‘platform’ implies you have a security strategy. The security strategy should support the IT Strategy. And, finally, the IT strategy should support the business strategy. Security is a strategic function of healthcare today.
The question now becomes "How do we make security strategic to the business of healthcare?" That’s a little easier to answer. Let’s start with a few things we know.
First, spending in healthcare on security and security staff was up from 2015 to 2016 although it still lags – badly – behind other regulated industries.
Insider threats (intentional and unintentional) continue to plague healthcare particularly via email with infected files, web links and social media ‘attacks’.
We have also seen an uptick in the adoption of security frameworks but the industry still uses frameworks or tools that are not risk-based. You will never solve a business problem by just throwing technology at it. What you are more likely to do is complicate a business problem with technology. Here is what you need to do:
- Continue to invest in financial and human resources for security - but do it strategically. Many healthcare providers still don’t have a dedicated leader assigned to security. If it is a strategic function, you need to. Everyone hired a Quality Officer when quality became an important measure and strategic to healthcare.
- Develop and implement Cybersecurity training for all employees. The employee is the first line of defense in cyber attacks. If you are not training them but just hiring people and buying tools, you are wasting your money.
- If you don’t have a risk-based security framework (like NIST’s CSF) in place to identify all your cyber risks and prioritize them for remediation - do that now! You can’t just look at the security risk, you must look at the risk to the business - ransomware doesn’t shut down IT, it shuts down patient care. That is the business of healthcare.
- Engage business and clinical leaders in information governance and in implementing security practices. Security and IT can’t do it alone.
Mike Meikle is a Partner at SecureHIM, a healthcare security consulting and education company. SecureHIM provides cyber security training for healthcare clients on topics such as data privacy and how to minimize the risk of data breaches. They also provide extensive cybersecurity consulting services for their customers.
"The top three information security concerns for healthcare (mobile, EMR, ransomware) all revolve around the protection of Electronic Protected Health Information (ePHI)..."
State and Federal (HIPAA) privacy and security guidelines directly impact the ramifications of a data breach which can result in significant penalties for an institution.
Mobile devices have opened a large attack surface on healthcare data assets. While mobile device usage has changed the way healthcare conducts business it has come at a significant price of additional vulnerability to cyber-attacks. The added pressure of meaningful use mandates and consumerization (BYOD) trends of mobile devices into the practice is pushing healthcare to adapt new workflows and business models. Risk mitigation must be a primary concern as this trend continues.
Ransomware has exponentially increased as a threat to healthcare. The attacks cannot be wholly stopped or prevented, no matter what type of technological and personnel controls are implemented. If a malicious actor wants to break into a person’s or company's sensitive information, they will find a way. It may not be a technical approach; it could be using very reliable social engineering techniques.
Ransomware relies upon technical and personnel vulnerabilities that are growing in scope and visibility due to the increasing automation and interconnectedness of systems, mobile devices and the sharing of personal data. The financial incentive is there for the criminal, nation-state, or other malicious actors to perpetrate these crimes.
The most effective way to recover from a ransomware attack is to have a well-tested backup and recovery plan for your organization. If the organization can roll back their saved data to a time when the ransomware had not infiltrated the organization, then there should be minimal financial loss.
Health and Human Services Office of Civil Rights has stated that successful ransomware attacks that occur in a healthcare organization are considered a data breach and must be reported.
The protection of intellectual property (IP) and Electronic Patient Health Information (ePHI) is the driving force behind EMR security. A large percentage of EMR systems are cloud based. If a cloud service provider stores information in overseas data centers it may not be protected by U.S. intellectual property laws and therefore it may be difficult to prove the confidentiality and integrity of a customer’s or patient’s data. Industries that put additional privacy and security burdens on data protection such as Healthcare (HIPAA) have additional regulatory burdens to consider.
As the reliance on cloud services grows larger, the security evaluation of these services grows in importance. How to do you evaluate the security risk in using such a service? What important security questions should be asked? The first step is to query the Cloud Service Provider (CSP) on what security auditing standards does their services comply with (SAS 70, FIPS 200, etc.)? Consider where the data will be stored and if U.S. IP laws will apply. Review the contract language, terms and conditions for appropriate risk management on behalf of the CSP or third-party. CSPs will also have to sign a Business Associates Agreement (BAA) per HIPAA privacy and security guidelines.
Tim Singleton has worked in the computer and technology industry since 1999, doing everything from entry level help desk work to designing business networks and advising large IT organizations. He currently owns and operates Strive Technology Consulting, a managed service provider in Boulder that provides enterprise-class support and guidance to small businesses.
"Ransomware is the most important security concern for healthcare organizations today..."
Ransomware may delay patient care, delete data, cost you money, impact employee productivity, and force a HIPAA breach notification, all from a single infection. And all indications show it will be getting worse and more frequent in the near future.
We recommend taking a layered approach to preventing, fighting, and recovering from a ransomware attack. There are three steps everyone should be taking to help prevent a ransomware infection. First, have a good antivirus and antimalware program on all computers and servers. Second, have a cloud provider scan all website and email traffic before it enters the network. Third, train all staff on how to recognize a ransomware threat and how to avoid becoming infected.
Once a computer is infected, unplug it from the network immediately to prevent propagation. Wipe the hard drive clean and rebuild its data from backup. Having reliable and frequent backups is the single most important thing you can do to mitigate the risks of ransomware.
Finally, encrypt all of your office's hard drives. This won't prevent ransomware from infecting your network, but if you are infected, it may help with HIPAA violations.
The OCR recently declared that ransomware encrypting healthcare-related data on your systems constitutes a disclosure, because unauthorized individuals have taken possession or control of the information. These breaches must be reported.
Encrypted data is another matter. This is case-specific and it is best to check with an attorney for your specific case, but we generally tell our clients that ransomware on an encrypted hard drive is not a reportable breach because the data was effectively unusable to the thief.
Tony Gore is the CEO of Red Trident, Inc. With over 20 years of cyber security expertise including engineering, design, architecture, programmatic implementation, incident management, and situational awareness, Tony has extensive experience in supporting organizations in the commercial oil & gas, utility, chemical, heavy manufacturing, and medical sectors, as well as government (DOD, NASA, DOE and Healthcare) institutions.
"The top information security considerations for healthcare organizations typically align with the top information security threats trending in the industry..."
The general top threats include compromise by the insider threat, which includes incidents caused by the lack of cyber security awareness from employees (e.g., phishing) or actual intentional and malicious activities, compromise by malware/ransomware, and compromise through stolen data which gets into issues associated with IT security standards compliance (HIPAA HITECH, PCI, NIST, etc.). The top threats do change in risk magnitude and priority based on the latest hacking trends and new vulnerabilities found by the hacker community within specific business sectors.
Using a snapshot in time for early 2017 while considering the highest threats and associated risk exposure, we have assessed the following top three considerations for healthcare organizations:
1) Implement Endpoint Protection Solutions. Regardless of whether the attack vector comes from the insider threat or external hacking, effectively managing and controlling endpoints is one of the top things healthcare organizations should consider to mitigate these threats. Solutions such as application whitelisting should be considered because this class of endpoint protection can deal with both the insider threat and malware, as well as facilitate organizations in employing access control policies and practices. In addition, traditional antivirus is no longer enough to protect endpoints. Seek next generation antivirus/antimalware solutions that include artificial intelligence and advance threat detection capabilities, and tie them into a security information and event management (SIEM) solution.
2) Include Industrial Control Systems and Medical Devices in Your IT Security Program. While these systems and devices are essentially endpoints, they are often neglected in the overall IT security programs being managed and implemented by healthcare organizations. Industrial control systems (ICS) include equipment such as supervisory control and data acquisition (SCADA), programmable logic controllers (PLCs), and human machine interface (HMI) endpoints. Most traditional IT solutions do not address the spectrum of cyber security issues associated with ICS endpoints. Medical Devices such as wearable devices and medical systems with embedded controllers or processors all create new vulnerabilities and attack vectors. Using ICS and medical devices as attack vectors to compromise IT systems is an increasing tactic used by hackers in 2017. Therefore, considering the inclusion of ICS and medical devices in the overall IT infrastructure and security program is a must for 2017.
3) Move to a Continuous Monitoring Capability. Regardless of how large or small, healthcare organizations of all sizes now have cost effective options for continuous monitoring through their existing IT security operations team or through managed security service providers offering onsite and offsite solutions. Studies are showing that businesses impacted by IT security breaches suffer devaluation, revenue loss, operational disruption and loss of intellectual property or patient data that can lead to business failure and closure within two years after the incident. Considering to put in place a reliable monitoring and incident response capability as part of your security program is more important than ever.
Mike Baker is founder and Principal at Mosaic451, a bespoke cyber security service provider and consultancy with specific expertise in building, operating and defending some of the most highly-secure networks in North America.
"The biggest security considerations for healthcare organizations are..."
1.) Wearable and Implantable IoT Healthcare Devices, from Pacemakers to Insulin Pumps to Monitors Can be Vulnerable to Attack.
Up until now, cybersecurity has been focused on computers and the networks they are connected to. However, the rapid proliferation of IoT devices, which includes pacemakers, insulin pumps and other devices, is quickly redefining the definition of a “computer,” and all of them are connected to the Internet. IoT devices tend to have weaker security protections than regular computers, including hard-coded and widely known passwords, and unlike computers, not all devices are easily patched or updatable. Additionally, there are many IoT device manufacturers, and the devices are sold through different channels; there are no common controls regarding passwords, encryption, or other security measures, and no “chain of custody” controls tracking who has handled the device or when.
Recently, the healthcare industry has come under attack from ransomware, which hackers use to breach a system and render it inoperable until the victim pays a ransom. This scenario isn’t outside the realm of possibility. By locking medical providers out of patient medical records, hackers have demonstrated they have no qualms about putting the lives of innocent people at risk.
2.) Buying Technology Alone is a Security Strategy That Does Not Work. Insider Threats Present a Huge Security Risk.
Healthcare is under constant pressure to safeguard assets, however too many firms focus on security for HIPAA compliancy and then call it a day. Compliance is a legal necessity, but organizations expose themselves to cyberattack when they use technology as a crutch. Many organizations will need to look at their operations as a critical network and seek ways to defend it. There is clearly a need for organizations to employ automated systems that continuously monitor the organization’s network, establish a pattern of use for each individual user, alert security managers to any deviations from user patterns, and then require additional authentication before allowing the deviant action to proceed further – all while simultaneously alerting the IT security team.
Examine the largest healthcare data breaches of 2015/2016. Technology did not protect the vast majority of these companies. In each case, data was breached due to hackers successfully exploiting humans.
The proliferation of mobile devices in healthcare like smartphones and tablets have also made the human element even more vulnerable because this area of security is often overlooked and is in fact the weakest link. Technology is only as good as the people who use it and is merely a tool in the fight against cybercrime. Technology alone cannot fully protect an organization’s data, networks, or interests. This is a trend in 2017 and beyond that must be recognized if organization hope to safeguard patient records.
3.) DDOS Attacks: An Old Nemesis Returns to Cripple Your Network.
Once considered a cybersecurity threat of the past, Distributed Denial of Service (DDoS) attacks have re-emerged with a vengeance. DDoS attacks are wreaking havoc on enterprises and end users with alarming frequency.
Distributed Denial of Service is a cyberattack where multiple systems are compromised, often joined with a Trojan, and used to target a single system to exhaust resources so that legitimate users are denied access to resources. Websites or other online resources become so overloaded with bogus traffic that they become unusable. A well-orchestrated DDoS carried out by automated bots or programs has the power to knock a website offline. These attacks can cripple even the most established and largest organizations. An e-commerce business can no longer conduct online transactions, jeopardizing sales. Emergency response services can no longer respond, putting lives in danger.
The reason why DDoS attacks are back is simple - it is relatively easy to launch a sustained attack and cripple any organization connected to the Internet. Botnets, a group of computers connected for malicious purposes, can actually be acquired as a DDoS for hire service. The ability to acquire destructive assets demonstrates how easy it is for someone with little technical knowledge to attack any organization.
Detecting a DDoS attack requires specialized hardware capable of sending alerts via email or text. The goal is to report and respond to the incident before the attacker makes resources unavailable. An MSSP who employs both technology and on-site personnel can monitor and act as a full operations team.
John Chapin is a lead consultant and owner of Capital Technology Services with 14 years of experience in the government and healthcare sectors.
"The top 3 concerns for healthcare organizations are..."
1. Encryption at Rest
Healthcare organizations need to make sure they have a really strong encryption at rest game in addition to an “encryption in transit” game. This includes making sure that the software running in their organization doesn’t have a really weak implementation with a single key for unlocking everyone’s PHI. We’ve seen that in the wild… and it’s not well understood by decision makers. Just because your information is encrypted doesn’t mean that it’s well implemented. Records need to be encrypted with unique keys so that an exposed key doesn’t allow an attacker to unlock everyone’s record.
2. Making Two Factor Authentication Easier to Adopt
Two factor authentication fulfills that a user is who they say they are by giving a user a unique secret, token, or by allowing them to use a biometric measure before accessing patient data. That’s important for HIPAA compliance, which mandates that anyone accessing PHI has a real need to know the information they’re accessing. But here’s the problem, some healthcare professionals are slow to adopt better technology when they don’t perceive a benefit for themselves or their staff. So chief technology and information officers need to choose a solution that’s going to be easier for their staff to adopt. For a lot of organizations that easy solution has been biometrics just because there’s no token to be lost or app to be used, just resting a digit on a fingerprint scanner.
This is a really boring topic, I know. But there are a lot of organizations that concentrate on implementing complicated authentication and access control mechanisms, but then struggle to tell you how to verify when records have been accessed. It’s almost as if someone went to the painstaking detail of installing a home security system complete with security cameras and then forgot to turn on the digital video recorder to capture the activity. Software solutions need to log all access to PHI and then secure that information in a physically separate location. If an attacker gains control of a system and the logs are only stored on that system, they’re going to take the data and then do their best to cover their tracks.
Anthony James is TrapX's vice president of product strategy.
"In terms of security considerations for healthcare organizations, we recommend that organizations..."
Review budgets and cyber defense initiatives at the facility or organizational board level. Bring in an independent cyber security expert at the board level to help you understand required budgets, staffing levels, and key activities. Consider a fast paced alternative to bring in a managed security service provider (MSSP) on an outsourced basis to augment your current cyber defense capabilities.
Major healthcare institutions should prepare for the possibility of one or more data breaches that will trigger HIPAA reporting, processes, and procedures. If you are a healthcare entity within the U.S., it is possible you will find exfiltration of patient data (more than 500 patients affected) within the public notification trigger of HIPAA. Compliance and information technology must work together to document these incidents, provide the notice and follow-up as required by law. There are similar compliance requirements in many countries around world. Major healthcare institutions should seek the advice of competent HIPAA consultants. Hospitals and physician practices in the U.S. are primary targets for a HIPAA compliance audit. Given the high risk of data breach that hospitals face, we recommend they bring in outside consultants to audit and review their HIPAA compliance program in 2016.
Raise the level of scrutiny for your business associates under HIPAA. Recognize that while many of them can meet the HIPAA requirements for privacy and data security, and have done their risk assessments, they may not have implemented the necessary best practices to meet and defeat MEDJACK.2.
Carefully note compliance requirements relating to patient data for the states that pertain to your services and patients. These can vary significantly from HIPAA and, given the current high risk environment, fastidious adherence to compliance is required at all times. Increase employee education programs pertaining to the use of healthcare information technology systems. These should not be used for personal communications. Email attachments and links (URLs) should be treated with necessary suspicion until proven otherwise. It only takes one employee mistake to let an attacker's tools into the enterprise.
Review disaster recovery plans and consider how the quality of patient care might be impacted in the event that all of your information technology resources (patient databases, scheduling systems, EMR/EHR systems, diagnostic lab ordering systems) went down or had the data locked because of a ransomware attack.
Isolate your medical devices inside a secure network zone and protect this zone with an internal firewall that will only allow access to specific services and IP addresses. If possible and practical, totally isolate medical devices inside a network which is not connected to the external internet.
Implement a strategy to review and remediate existing medical devices now. Many of these are likely infected and creating risk for your institution and your patients.
Implement a strategy to rapidly integrate and deploy software and hardware fixes provided by the manufacturer to your medical devices. These need to be tracked and monitored by senior management and quality assurance teams.
Implement a strategy to procure medical devices from any vendor only after a review with the manufacturer that focuses on the cyber security processes and protections. Conduct quarterly reviews with all of your medical device manufacturers.
Implement a strategy for medical device end-of-life. Many medical devices have been in service for many years often against a long depreciated lifecycle. Retire these devices as soon as possible if they exhibit older architectures and have no viable strategy for dealing with advanced malware such as MEDJACK. Then acquire new devices with the necessary protections from manufacturers that can comply with your requirements.
Implement a strategy to update your existing medical device vendor contracts for support, maintenance and specifically address malware remediation. If these new services raise operating budgets we believe that the additional expense is necessary and prudent. Medical device manufacturers should include specific language about the detection, remediation and refurbishment of any medical devices sold to healthcare institutions which are then infected by malware. Manufacturers must have a documented test process to determine if the device is infected, and a documented standard process to remediate when malware and cyberattackers have infiltrated the device.
Manage access to medical devices, especially through USB ports. Avoid allowing any medical device to provide USB ports for staff use without additional protections. Consider the one-way use of new memory sticks in order to preserve the air gap. Otherwise one medical device can infect similar devices.
Evaluate and favor medical device vendors that utilize techniques such digitally signed software and encrypt all internal data with passwords you can modify and reset. Software signing is a mathematical technique used to validate the authenticity of the software. Some manufactured medical devices use this technique to help prevent execution of unauthorized code. Encryption provides a safety margin in the event of data exfiltration or device compromise, at least for a window of time.
Improve your own ability, even when a device is selected, to allow your information security teams to test and evaluate vendors independent of the acquiring department. Allow your IT teams to run more stringent security tests to discover vulnerabilities and help with the management of medical device manufacturers. Allow them to object to the procurement of a medical device that provides an easy and unprotected target for the MEDJACK attack vector. Utilize a technology designed to identify malware and persistent attack vectors that have already bypassed your primary defenses. Deception technology can provide this advantage for your security operations center (SOC) team.
Andrew Bycroft is a 21 year cybersecurity industry veteran, author of the book “The Cyber Intelligent Executive,” and CEO of The Security Artist, the go to security advisory firm in Asia Pacific for executives who are serious about emerging as heroes rather than villains when cybercriminals target their organization.
"The top 3 information security considerations for healthcare organizations are..."
1. In the past, security may have taken a back seat to allocating funding to more pressing issues such as doctors and nurses, expanding critical wards, purchasing more beds or even pouring money into research of new drugs and treatments. Now with the advent of paperless hospitals and more technology being connected into the hospital network, with the propensity for some of those technologies to kill patients if tampered with, security needs to be considered as just as critical as having enough capable staff and administering the correct treatments.
2. To save on infrastructure costs, it is only natural that the healthcare industry will increasingly leverage the cloud to improve the availability of information, especially with the need to share test and treatment results with multiple doctors for a rapid and accurate diagnosis. Whilst the cloud natively takes care of availability and makes portability of patient information simple, it is important to ensure that cloud service providers that are targeting the healthcare industry have factored confidentiality and integrity into their offerings. Data sovereignty and financial viability of cloud service providers must be taken into consideration by decision makers.
3. Big data and artificial intelligence promises to provide doctors with a greater pool of information as to what treatments have worked and how to diagnose and treat some less common diseases. In addition big data may be the key to the creation of designer drugs tailored specifically for a host of symptoms that a patient may be displaying, but like cloud service providers, the integrity of the data from the vast pools of data that are available needs to be maintained. If it is not governed effectively, erroneous data could do more harm than good, with the worst case fall out being patient death.
Shai Canaan is a Security Consultant from cyber security consultancy Nettitude, Inc.
"For healthcare organizations, the top 3 information security concerns include..."
1. Inside threats via employees errors or lack of awareness - employees are the soft belly of a well defended IT infrastructure. Employees carelessness and lack of awareness may lead to a breach despite a solid network perimeter. Common examples are employees introducing threats via clicking on a malicious attachment in an email, or connecting their personal mobile device to the organization's Wi-Fi or hardware. Such threats can lead to introduction of ransomware, and malware which may harvest user credentials or even open a backdoor to a hacker.
2. Data classification management - targeted cyber-attacks are very difficult to detect and stop, however, how much the attackers may get depends on the organization's data management. When hackers successfully breach an organization they are commonly targeting the electronic protected health information (ePHI) stored in databases. Whether or not they will access this data usually depends on how well the data is classified and available to specific users based on business need to know. The better an organization understands its sensitive data flows, the better it can protect it.
3. Defense in depth - healthcare organizations should understand that there is no one layer of defense which they should rely on. Each layer of defense contributes a little more to the complexity of a breach and thus slow down attackers, resulting in some hackers moving on to an easier target. A freshly updated, well configured, and capable firewall will prevent majority of simple attacks, but the more sophisticated ones will find their way in; similarly employees may introduce threats from the inside, something which most firewalls will not be able to stop. Example of additional layers from a human resources angle can be periodic and effective employee awareness training. Another example from a technical standpoint is adding proper encryption to ePHI databases and applications which access ePHI. Such encryption may prevent a hacker, which may have already gained some internal access, from the ability to decrypt and thus expose ePHI.
Amit Kulkarni is CEO of Cognetyx Corporation and a member of the company’s board of directors. He Co-founded Cognetyx, bringing more than 18 years of technology leadership, computer network security expertise, and executive management experience to his role with the company.
"The top 3 information security considerations for healthcare organizations are..."
1) Artificial Intelligence Is Now an Affordable Healthcare Security Option
Artificial Intelligence (A.I.) technology is becoming commonplace in industries such as healthcare, which deal with large amounts of data or rely on low-risk repetitive tasks. Because of technological advances, the cost of a powerful AI security solution, which used to be only affordable to the largest organizations, can now fit the budget for almost any healthcare organization. Artificial Intelligence can offer automatic surveillance, detection and data breach alerts in real-time. Leveraging artificial intelligence and machine learning allows healthcare organizations to enjoy real time protection and risk identification, significantly reducing security risks without the need to increase staff.
2) Third Party Contractors: The Hacker’s Backdoor
Third party contractors, or Business Associates (BAs) are proving to be a similar headache for healthcare organizations. A May 2016 study published by the Ponemon Institute found that in the past two years 89% of healthcare organizations and 60% of their BAs have experienced some type of data breach. The problem is, no matter how robust the cybersecurity of a healthcare organization, as long as criminals can gain legitimate login credentials through third party vendors, they can still compromise the organization via this backdoor. The key here is that hackers can penetrate your site without gaining entry through the front-end login page. With an ever evolving ecosystem of hundreds of BAs providing a wide range of services from medical and administrative to facilities, these BAs represent a significant risk to healthcare organizations. Therefore, it is prudent for healthcare organizations to mitigate these risks as much as possible in order to protect internal systems, sensitive patient data and company reputation.
One method is to create assessment and evaluation criteria that would ensure all vendors have adequate cybersecurity within their own enterprise. Whether it is robust security software, up to date firewalls, or personnel training on security and data protection best practices, ensuring that BAs have the same robust standards of cybersecurity that healthcare organizations themselves have is a key way to minimize risk. Make sure that vendors pass security certifications that renew as needed, and periodically reassess for vulnerabilities.
As part of the assessment process, healthcare organizations should subject their BAs to vulnerability and penetration testing (VAPT) on both external and Internet-facing products, so that any vulnerability can be discovered and fixed before they can be exploited by hackers. Using a VAPT approach an organization can get a more detailed picture of the threats that may face its system, which enables the business to better protect its systems and data from hackers. Vulnerabilities as well as the potential for unauthorized access can be found in applications or security leaks from third party vendors. Those potential areas of backdoor access can typically be easily fixed once discovered while the VAPT provider continues to search for and classify vulnerabilities. Coupled with advanced cybersecurity technology to detect unauthorized and malicious users even when they use legitimate credentials, it is possible for healthcare organizations to inoculate themselves against cyberattacks.
3) Insider Threats Pose a Huge Security Risk for Healthcare
When people generally think of hacking, they visualize it as external criminals attempting to penetrate a network. The methods that get the most attention are malware or phishing scams. All of this feeds into the notion that to prevent attacks, we just need better defenses around the perimeter.
But what if the attacker is already inside the network? Once inside, there’s seemingly no way to either detect someone is up to no good, or to alert the proper authorities that something might be amiss. Any insider, knowingly or unknowingly, can put sensitive data at risk. There are two main types of insider risks that pose the biggest problem. The first is the “malicious insider.” This type of person could certainly be an external hacker who has broken into the network, either from hacking or stolen login credentials. But even more concerning, it could be a current employee who is snooping in data that they shouldn’t be in.
Technology can stop a malicious insider once they are in. Technology is advancing at a rate where the convergence of progress in multiple areas is finally making it possible to detect malicious insiders. The cost of storing data continues to go down. The processing capabilities of servers to sift through data keeps marching forward. And advances in machine learning/artificial intelligence makes it possible to make sense of the data in meaningful ways.
Will Durkee is Director of Security Solutions for TSC Advantage, an enterprise cyber risk and cybersecurity consulting firm that works with Fortune 500 companies in healthcare and other critical infrastructure sectors to provide an objective understanding of security posture and prioritize resources for a proactive and holistic defense. Will holds CISSP and HCISSP certifications. TSC has been published or quoted in The Hill, Dark Reading, CSO, Security, ReadWrite, New York Times, Time, WSJ, etc.
"The top 3 information security considerations for healthcare organizations are..."
1) Focus on the human – Human error is attributed to numerous breaches from phishing emails to misplaced PHI storage devices. The evidence shows that people continue to be a weak link in protecting the security of information. Adversaries use increasingly sophisticated methods to trick employees into clicking on malware-infested emails or to request fraudulent transfers of funds; and disgruntled or malicious insiders may knowingly steal or sabotage assets or systems.
2) Track what goes where – Patient information can flow through a complex network of multiple healthcare providers, specialists, bill payment processing firms, insurance payers, etc. Healthcare organizations need to track all steps this confidential information takes and ensure security during each phase. Many HIPAA breaches are caused by lost or stolen devices that contain Protected Health Information (PHI). As PHI devices multiply swiftly, the risk of breaches and stress of keeping track of devices increases.
3) Ensure your partners play by your rules – Adversaries are always looking for the path of least resistance, and that can often include use of third parties and supply chain partners to gain a foothold onto your network. Furthermore, a cybersecurity event affecting a critical vendor can lead to catastrophic interruptions to your business and profitability. The use of business associates is common, though implementing a third-party risk management process is still lagging. Ensure your information-sharing partners adhere to minimum security standards either through distributed security assessments or HIPAA Security attestations.
Julian Jacobsen is a HIPAA compliance IT consultant and owner of J.J. Micro LLC IT Consulting. He supports over 120 clients in the St. Louis, MO area. Julian has over 10 years of consulting experience and specializes in small medical and dental practices.
"Healthcare organizations should be asking themselves three major questions..."
Are we HIPAA compliant?
HIPAA audits are increasing. The OCR handed out $23.5 million in HIPAA breach settlements in 2016 alone, up from $6.2 million in all of 2015. The more fines the OCR hands out, the bigger their budget to perform audits grows. We are seeing small practices audited and fined just as often as larger organizations. It's important that small practices don't assume their size will hide them from the Office for Civil Rights. The rules that govern healthcare organizations are very different from other industries. What is good enough for other segments is not necessarily good enough for healthcare organizations. For instance, lets look at data storage in the cloud. There are many cloud storage providers who are SOC 2 compliant and are very experienced at securely storing important data. The data is stored in an irreversibly encrypted way and the data center does not have the encryption key; so they can never access the data. But if that cloud storage provider is unwilling to sign a Business Associate Agreement, PHI (Protected Health Information) cannot be stored there.
Do we have good ransomware protection?
Ransomware has been the fastest growing digital threat to the healthcare industry over the last two years. Ransomware continues to put protected health information at risk in organizations of all sizes from small practices to large hospitals. Remaining HIPAA compliant requires organizations to minimize these attack surfaces and train employees to spot ransomware attacks. This training can require a serious time investment from an organization. However, from a compliance standpoint, this investment in time and labor will pay dividends if an organization can avoid a major HIPAA breach. In addition to training, a healthcare organization will need to invest in a multi-pronged approach to ransomware prevention. Advanced SPAM filtering to prevent phishing and spear phishing attacks (major vectors for ransomware), DNS filtering to block access to known malware sites, and deep packet inspection at the firewall level to search for malware signatures.
Do we have a solid backup strategy?
As a last fail-safe against ransomware and any other IT related disaster, an organization must have a comprehensive backup solution that takes into account the power of ransomware to encrypt any data the infected machine has access to. This can include network shares that aren't mapped as network drives. If backups are stored on a network share that can be accessed by workstations, those backups are at risk of being held ransom with the rest of the data on the network. An organization must consider how it cordons its local backups off from the rest of the network. Additionally, an organization must have offsite backups stored in a geographically distinct and secure location. Healthcare organizations must also consider the frequency of their backups. Data stolen and data lost (but not stolen) are both considered HIPAA violations. A nightly backup might not be enough to ensure compliance.
Michael Herrick is the founder of HIPAA.host, a healthcare risk management firm in Albuquerque. HIPAA.host helps healthcare practices and hospitals improve patient privacy, cybersecurity, and HIPAA compliance. He lives with his family in downtown Albuquerque.
"Our firm works with hospitals and healthcare practices to help them protect patient privacy and improve HIPAA compliance. Here are the top three factors that come up over and over again in HIPAA risk assessments..."
Device encryption. A laptop smash-and-grab from the back of an employee's car can cost a practice hundreds of thousands of dollars in HIPAA fines. Properly encrypted devices completely mitigate this threat. You don't even have to report the loss of a device to the Office of Civil Rights if it was encrypted. Full disk encryption has became easy and inexpensive. You're crazy if you don't encrypt all your computers, laptops, and mobile devices.
Staff training on passphrase security and phishing threats. 54% of HIPAA breaches were caused or contributed to by employees. Train staff to stop thinking of easy-to-guess passwords and start using long and unique passphrases. And stop torturing your staff with periodic password reset requirements. Research shows that password reset policies don't help and can actually make things worse.
Two-factor authentication. There is no single security control that offers more bang for the buck than two-factor authentication. Many healthcare organizations have a totally false sense of security, encouraged by vendors who assure them that their email or their EHR is secure because the traffic is encrypted. None of that encryption matters if criminals get hold of a trusted employee's credentials, and that happens all the time. Two-factor authentication—extra protection from a hardware token or a pre-registered smart phone—stops password vulnerabilities in their tracks.
Willy Leichter, is Vice President, Marketing at CipherCloud. Willy brings over 20 years of experience helping Global 1000 companies meet security and compliance challenges within their networks and in the cloud. He is a frequent speaker on cloud and IT security issues in online events, and at industry conferences globally.
"The top info security considerations for health care all revolve around protecting PHI wherever it goes and keeping it from getting into the wrong hands. These include..."
1) Understanding where sensitive health data might be going - both inside and outside the organization, especially in cloud applications.
2) Being able to set and enforce data loss prevention policies around who, what, where, when and or contexts.
3) Having mechanisms to directly encrypt sensitive data before it leaves the organization.
These are not fundamentally new issues, but they become more urgent given the onslaught of hacking, and require new approaches to extend data security to cloud applications.
Michael Magrath is the Director, Global Standards & Healthcare Information Security & Privacy at VASCO
Data Security, Inc.
"The top 3 information security considerations for healthcare organizations are..."
Cybercriminals are well aware that healthcare organization are understaffed with cybersecurity professionals, devote between 5-7% of their IT budget to security and store a treasure trove of sensitive, personally identifiable information – protected health information (PHI) in their databases. These coupled with the migration to cloud services have made the healthcare industry a prime target for cyber attackers. Although HHS’s Office of the National Coordinator has drawn a line in the sand calling for healthcare organizations to implement identity proofing and authentication best practices for all healthcare participants to protect patient privacy and security, the reality is, only half are using multifactor authentication and few are doing a credible job of identity proofing.
The majority of breaches have stemmed from compromising login credentials, namely one’s username and static passwords. Stealing credentials can happen from brute force attacks on unencrypted data, social engineering, or phishing attacks to name a few. Organizations relying on protecting PHI with passwords are gambling and risk financial penalties, loss of revenue and shareholder value, reputation loss, and lost customers (patients).
Ransomware is a type of malware that renders the victim’s computer or specific files unusable or unreadable and demands a ransom from the victim in return for a cryptographic key, used to restore the computer or decrypt the encrypted files.
Ransomware continues to be a top concern for all enterprises and healthcare organizations are no exception. Ransomware can bring an organization to an immediate and intrusive halt. Healthcare organizations have more to lose than organizations in other sectors. In addition to lost revenue, for healthcare organizations that could mean loss of life and litigation. Moreover, there is a lucrative black market for medical records. Solutionary's Security Engineering Research Team Quarterly Threat Report for Q2 2016 noted that the healthcare industry is hit significantly harder by ransomware than any other industry — 88 percent of ransomware attacks hit hospitals.
Paying criminals for a cryptographic key may work once, but is not a real solution. Paying them once will simply affix a bullseye on the organization for future attacks. Preventing ransomware infections requires updating applications (applying patches and making sure all operating systems are up-to-date) and educating all users not to click on links, ads, etc. contained in emails. Organizations should schedule back-ups as often as possible should they fall victim to mitigate the damage caused by a ransomware attack.
Securing medical devices and applications
The Internet of Things (IoT) has brought connectivity and real-time statistical information to providers while offering convenience to the patient. Chronic illnesses such as congestive heart failure, diabetes, hypertension, and chronic obstructive pulmonary disease can be monitored by providers via wearable medical devices. Convenience is wonderful but device design must address security and thwart hackers. Hacking an unsecure device could gain entry into the health system's network infrastructure, putting the entire system at risk including the aforementioned ransomware. Equally important is that unsecure devices could actually kill patients should hackers gain access and alter them. Johnson & Johnson was forced to warn customers about a security bug in one of its insulin pumps last fall. CIOs will be taking a hard look at medical device security prior to procuring them.
As it relates to applications, specifically mobile applications, PHI maybe is at risk. Although the majority of connected health apps do not pose a risk to patients should they be hacked, many do. Apps that track physical activity, diet or heart rate do not pose a risk, but many others like electronic prescribing, texting, patient portal and telehealth apps access and possibly store PHI; they are undoubtedly targets of hackers.
Moreover, covered entities and business associates that offer a mHealth app that create, receive, maintain and transmit PHI better lock down the security of the app or risk a serious HIPAA violation. Penalties for noncompliance based on the level of negligence carry a maximum fine of $1.5 million per violation. 80% of mobile health apps are open to HIPAA violations, hacking and data theft (HealthIT News, 1/13/16) while a single mobile data breach could cost $26.4 million (Health Information Technology, 2/23/16).
Gartner recommends that enterprises focus on data protection on mobile devices through usable and efficient solutions, such as application containment (via wrapping, software development kits or hardening). Today the majority of app developers finish their final build and push their app to the app stores to meet their deadlines.
Runtime Application Self Protection (RASP), or application shielding, is a set of technologies used to add security functionality directly to mobile applications for the detection and prevention of application-level intrusions. App shielding is a common security approach widely utilized by financial institutions, and enterprises today, but not so much in the healthcare sector. RASP proactively shields apps from malware, controls execution, and prevents real-time attacks. RASP also protects the integrity of mobile applications to ensure data and transactions are not compromised while maintaining a mobile application's runtime integrity even if a user inadvertently downloads malware onto their device. App developers, particularly those subject to HIPAA violations, should bake bank-level security into their development.
Having spent more than 30 years in the marketing and communications industries as a television reporter, production agency founder, and multimedia network executive, Steve brings his creative talents to VertitechIT as Vice President, Marketing and Communications. A nationally renowned corporate storyteller and Emmy Award-winning producer, Steve works in developing new business opportunities and heads up branding and marketing efforts as well as communications. In addition to his internal duties, Steve consults with healthcare IT clients across the country in developing effective strategies for communicating IT organizational change.
"The top 3 information security considerations for healthcare organizations are..."
1. Ransomware. The largest breaches of patient data last year were all due to Ransomware. The dramatic rise in attacks against healthcare in 2016 seems to indicate that cybercriminals have become aware of the significant impact to healthcare and its ability to effectively treat patients when it loses access to electronic systems.
2. Phishing. Sophisticated emails and websites that bypass most security controls are all but impossible to adequately defense. It’s hard to protect an organization from human behavior.
3. The Internet of Things. These devices have created an environment of risk due to the challenges of properly securing and controlling systems that are hooked up to the network and the internet that often have different security criteria than do traditional computers.
David Bourgeois is the President & CEO of My IT based in New Orleans, LA. He founded My IT in 2000, and the company has been one of Inc.'s 5000 Fastest Growing Companies in 2015 & 2016. David is My IT's Privacy Officer and go-to expert in HIPAA and construction technology.
"The top 3 information security considerations for healthcare organizations include..."
HIPAA Assessment & Audit - HIPAA requires an assessment of a healthcare organization's network and how you manage, store, and transfer PHI. An assessment provides a baseline of where you're currently at and areas where you can improve security, including training your staff. From there, a healthcare organization needs to create a game plan on ways to improve security, document any changes and planned changes, and then audit those changes periodically (the frequency depends on the size of the organization).
Secure Mobile Devices - One of the easiest and most common ways to lose patient data is losing a mobile device (smartphone, tablet, or laptop). If that device does not require a passcode to unlock it, even misplacing the device for a short period is considered a breach. Luckily, requiring a passcode is free to set up.
Secure Emails & Texts - Medical providers can not send unsecured emails and texts because they can not verify the security of the recipient's network. Adding the ability to send confidential emails can be as little as $3/month per user and only takes two clicks to secure.
Richard Rupp joined Modio Health in July 2015 as Head of Product. Prior to joining the Product team, Rich worked seven years at Inflection and Ancestry combined - joining Ancestry as a Principal Product Manager in 2012 when they acquired Archives.com from Inflection for 100 million. Rich brings years of pre-IPO and acquisition startup experience, holding prior internet marketing roles with QuinStreet, E-com Media Group, and Niku Corporation. He is passionate about work, family, SEO, and the environment.
"The top 3 information security concerns for healthcare organizations include..."
1. Healthcare organizations need to pick secure, HIPAA compliant and fully vetted vendors to ensure patient data is protected against accidental disclosures, data loss or access by unauthorized personnel. Making sure employees are fully trained on proper protocols and well administered are essential. (Confidentiality)
2. Ensuring patient data is readily available to providers and patients when needed requires software with high uptime. All data should be securely backed up and stored at all times. (Availability)
3. Data should always be verified and pulled from primary sources. Data that is accurately exchanged, transmitted, stored and updated in a consistent and reliable manner allows for better tracking and auditing. (Integrity)
Steve Wilson is the vice president of product at Accusoft, and he has more than 20 years of experience in software and app development.
"Document management and security is one of the biggest challenges for hospitals and healthcare organizations..."
With the rise of patient confidentiality regulations and the rise of electronic healthcare records (EHRs), much more digital protection is required in today's healthcare landscape. Here are three infosec considerations for healthcare institutions:
Adopt a certification process for open APIs
Application Programming Interfaces (APIs) are sets of protocols that govern how software applications communicate with each other and share data. While many industries frequently use open APIs — those available publicly that allow developers to access and work with proprietary software — there are inherent challenges for adopting them in the healthcare space. Creating a certification process would allow healthcare organizations to reap the benefits of open APIs, while still ensuring reliability and security.
Improve EHR training
Proper training is a top way to combat healthcare security breaches. According to recent Accusoft survey of IT managers across a wide range of industries, 43 percent felt employees don't always comply with document-handling procedures. If employees are given training and the right tools, breaches and other security vulnerabilities have the potential to become scarce.
Though EHRs are being more effectively leveraged, it's still important for organizations to ensure they are using top-notch technology. Cloud-based systems that offer document web-viewing eliminate the need for downloads, one of the top collaboration security risks facing businesses across the board.
As President of Canada’s foremost provider of high quality document management and business process outsourcing solutions, Octacom, Sheila Lindner has helped numerous businesses and enterprises streamline and optimize their administrative efforts for better security and efficiency.
"A main IT security consideration for healthcare organizations is..."
Developing capable and effective security solutions to protect a wider influx of data, much of which contains sensitive information, when dealing with the healthcare industry.
Gartner estimates that 75% of mobile apps fall below basic security expectations. This is not a statistic companies can allow to continue as we move towards a marketplace that will continue to become increasingly more ingrained with IoT and the digital transmission of personal data and information.
To ensure their security systems are up to standard, they must implement an effective system for the early detection of security vulnerabilities, and pay particular attention to proactive and adaptive detection and mitigation for securing the endpoint. The endpoint remains one of the most vulnerable areas of online transactions, and most often hacked, making it a key priority for developing security with IoT. Often overlooked and underestimated, companies must also set up a strict process for regularly scheduled reviews to ensure effective maintenance and make any necessary upgrades to fill potential security gaps.
Tom has over 30 years of IT experience and developed many business applications during that period. He was the founder of Surgicenter Information Systems (SIS) in 1989. By 2001, SIS had over 600 surgery center installations throughout the United States, Canada, Mexico, and Guam. In March of 2001, Tom sold SIS to Source Medical Solutions and remained on as their Senior VP and Chief Technology Officer until 2003. From 2004 to 2005, Tom broadened his knowledge and experience by joining Ascent Partners which developed and managed ambulatory surgery centers. In 2005, Tom Hui founded HST (Healthcare Systems and Technology) and is headquartered in Lafayette, CA. It has grown to over 400 installations and continues to be the "gold standard" in ASC software today.
"As the CEO of a healthcare organization, the top 3 IT security considerations are..."
1. Most security breaches are low tech and can be prevented with education and in-service to employees on what to avoid. A few common examples of low tech breaches are clicking on links that are unknown, not adhering to best practices for password maintenance (complexity and periodic changes), and giving out the password to the secured wireless network. Continuing education (refresher) for employees is an inexpensive and practical effort that produces good results. The key word is “prevention.”
2. Cost and complexity of security measures is another key topic. What is the appropriate level of investment in security technology a healthcare organization should make? The answer is different depending if you are a freestanding entity or if you are part of a large corporate chain or hospital network. Some security technology can also result in inefficiencies as side effects. Sometimes, the technology measures are so cumbersome that they get abandoned which defeats the original purpose.
3. Common security violations or threats are unsecured physical access to servers. Unsecured physical servers and equipment is a big one because patient data could be stored on thumb drives, CD, personal laptops, external hard drives, and unsecured servers.
Gerry is the manager of Axiomatics' US operations, supporting the sales and marketing teams as well as working with partners. During his career, he has worked in financial services, as an industry analyst and with Axiomatics since early 2010. In 2007, Gerry organized the first ever XACML interoperability demonstration at the Burton Group Catalyst Conference.
"The top 3 information security considerations for healthcare organizations include..."
Cybersecurity – The importance of implementing virtualization layers and compartmentalization to improve security.
Eliminating Toxic Combinations — Moving from Role Based Access Control (RBAC) to role-based Attribute Based Access Control (ABAC) to implement business rules in context-aware and risk-mitigating policies.
Protecting Sensitive Data – Setting fine-grained access control policies allowing the right people to see the right information. This not only improves data privacy and redirects possible hacks; this approach reduces latency and errors.
Jay and Mara Shorr
Jay A. Shorr, BA, MBM-C, CAC I-X is the founder and managing partner of The Best Medical Business Solutions, a Florida-based medical practice consulting firm assisting practices with their operational, administrative and financial health. Jay served as the Vice President of Operations and Practice Administrator for a leading Board Certified Dermatologist and Cosmetic Surgeon in South Florida until her passing in June 2012. Mara Shorr, BS, CAC II-X, is the vice president of marketing and business development for The Best Medical Business Solutions. A Central Michigan University alumni ambassador and alumni fellow, Mara Shorr brings a decade of marketing and communications experience to The Best Medical Business Solutions.
"The top information security considerations for healthcare organizations are..."
1- Not using HIPAA compliant software. We’ve found some of the biggest holes to include appointment scheduling, electronic patient communication (like texting and unsecured email addresses) and electronic patient files to be the areas that practices blur the lines the most. If you don’t have an official stamp of approval from your IT department that it’s HIPAA compliant, continue looking for new software.
2- Not using a private email system. We have practices that run into issues when they think they can use generic email addresses, including gmail, AOL, and yahoo, for example, for their staff’s email. When a staff member either resigns or is terminated from the practice, a disgruntled employee will take their email address… and your patient leads… with them. Insist that every staff member use an official work email address in which the practice has ultimate administrative rights.
Swapnil Deshmukh is a Sr. Director at Visa. He leads a team responsible for attesting security for emerging technologies. He is coauthor of the Hacking Exposed series and is a member of OWASP. In his prior work he has helped Fortune 500 companies build secure guidelines for organizations including healthcare.
"The healthcare industry is one of the most compliance regulated industries. And regulations such as HIPAA dictate security considerations for the healthcare industry. The top 3 on that list enforced by security experts are..."
1. Weak authentication and session
Privilege escalation that enables an user to access another person's data is a huge concern within the healthcare industry, so ensuring authenticated users are able to access the data that only they can access becomes of utmost importance.
2. Security misconfiguration
Web servers tend to store sensitive information about users, so making sure that web servers and application servers are properly hardened is a must.
3. Sensitive data exposure
When it comes to protecting sensitive data, proper encryption is a must. We recommend using NIST-approved cipher suites such as AES, strong hashes such as SHA256 or the use of TLS1.2. As much as encryption is important, another factor to take into consideration is key management.
Dr. Simon Lorenz
Dr. Simon Lorenz is a managing director and co-founder of healthcare messaging app Klara, of Klara Technologies, Inc. Klara's mission is to fix the broken healthcare industry through better communication. Klara is building the central nervous system of healthcare.
"Unintentional actions are by far a major security issue that often goes overlooked due to the fact that it is caused by human error..."
Healthcare organizations often invest time to protect against technical cyber threats, yet do not invest in training employees and vendors to properly handle information.
For example, more than 50% health-care breaches are due to lost or stolen laptops, backup tapes, and mobile devices containing unencrypted data.
Furthermore, over 9 out of 10 healthcare data breaches affecting 500 or more individuals are caused by organizations’ own employees, not hackers, according to the U.S. Department of Health & Human Services.
Properly training your employees on behaviors that are mindful of security is important in any organization, regardless of size or specialty.
Brett Kimmell of Kimmell Cybersecurity holds a Master of Science in Accounting Information Systems from The University of Akron where he was adjunct faculty teaching Information Systems Security and Accounting Information Systems. Brett also holds several certifications including, CISSP, CISA, CISM, CITP, CPA, PCI-Pro, ACSE.
"The top 3 information security concerns for healthcare organizations are..."
1. Ransomware - Instant access to medical records could be the difference between life and death.
2. Ability to Identify a Breach - A breach will occur and the organization should have a reasonable chance to identify it before data is exfiltrated.
3. Employee Cybersecurity Training - Employees who operate unaware of the risks associated with PCs and the Internet are sure to fall victim to Phishing or some social engineering scheme.
Jason Wilson is a Solution Architect and Co-Founder of Strategy Marketing & Technology Solutions. Strategy, LLC is a full service agency helps businesses achieve their goals through implementing marketing and technology solutions. Whether our clients want to reach more customers with brand development or need strategic IT consulting and integration, we partner with them to get results that matter.
"Healthcare organizations don't often realize that their out-of-date technology practices may be putting patient information at risk. Here are 3 things they should consider..."
1. Network Security
Some healthcare organizations offer free Wi-Fi for their patients. However, if they don't properly secure their network, an unauthorized user could gain access to patient health information. It's best to set up public and private networks that are separated by a firewall, which blocks unauthorized communication and access between them.
2. Data Backup Plan
The slightest technical error or malfunctioning in a patient management software can lead to a substantial data loss. Healthcare organizations should schedule regular data backups to ensure their patient data is always secure.
3. Anti-Malware Programs
Healthcare providers should make sure their computer systems are fully protected. Practices should have the latest security software, web browsers, and operating systems to protect against viruses, malware, and other security breaches. Systems should be checked monthly for possible threats.
Samantha Cortez is the HR Manager at DrFelix, a digital healthcare start-up. They sell prescription medication privately and offer an online consultation service to offer people access to a doctor from the comfort of their home or office, whenever and wherever they need one.
"Here are a few of my tips for dealing with security considerations in the healthcare industry..."
1: Be aware of the HIPAA Privacy & Security rules while emailing. When dealing with protected health information (PHI), there’s no way around this. Nothing sent via email is 100% secure and there’s a lot of ambiguity over what’s acceptable and what’s not. To stay within HIPAA regulations, several precautions must be taken. For example, many offices will send an email alert requesting identity confirmation before sending any sensitive materials. It’s also important to warn patients about the risks of sending health information via email.
2: Consider cloud computing and how it helps your business grow while protecting your data. Many healthcare professionals are hesitant to go the cloud route with their data. However, cloud security has become so advanced, that it’s even more secure against data losses and breaches than many on-site systems. As of 2014, 83% of healthcare organizations were using cloud applications. These applications allow the organizations to scale easily, collaborate, are cost-effective, and can hold large amounts of data. There are several best practices that should be in place for optimal use. Before making the leap, conduct a health check on your current environment and identify current or potential issues. Then, come up with an analysis of how the cloud solution will ultimately affect the healthcare business and its IT. Consider your business requirements and what you’re trying to solve. For example, if you’ve recently acquired a network with different IT systems, your goal might be seamlessly integrate it.
3: App developers developing healthcare apps need to focus on the Technical and Physical Safeguards spelled out in the Security Rule of HIPAA. The Security Rule comprises three safeguards: technical, physical, and administrative. Each of these have specific implementations, some of which are required and others that are suggested depending on the application type. Access control is one of the most important technical safeguards. This requires the app to have unique user identification to track user identity. Your app will also need data encryption, regular safety updates, and data backups.