Most Common Breaches
When you think of network security breaches, what’s the first thing that comes to mind?
If you’re like most people, you think of a bank or a major consumer organization. And for good reason—these organizations have been the victims of significant data incidents in the last several years. Look no further than the recent Capital One data breach or the infamous Wells Fargo data breach, which affected more than 24 million financial and banking documents.
There’s another common target of data breaches though, and it’s one few people tend to think about: the healthcare system. In fact, ransomware and cyber attacks targeting healthcare are on the rise, and the tactics are becoming more sophisticated each day. In early April of 2019, Israel-based researchers announced they had created a computer virus that added tumors into MRI and CT scans. These viruses intentionally promote misdiagnosis and are quickly starting to pose a major health concern.
When a network security breach hits a healthcare organization, it can wreak havoc. The biggest risk is the release of personal information, which a breach would crack wide open. If hackers managed to get in, they’d have access to endless patient health data, which they could sell to global entities with bad intentions.
This is where the Health Insurance Portability and Accountability Act, or HIPAA, comes in. HIPAA outlines requirements to keep the personal health information of clients and patients safe, even where hackers and spammers are concerned.
In this post, we’ll break down what you need to know about cybersecurity, HIPAA, and how the two intersect in our modern digital world. Let’s dive in.
|In early April of 2019, Israel-based researchers announced they had created a computer virus that added tumors into MRI and CT scans.|
Compliance is not Enough
In the modern world of digital information, simply complying with HIPAA rules is not enough to prevent data breaches. In fact, HIPAA compliance of yesteryear may actually decrease an organization’s healthcare cybersecurity defenses.
According to HIPAA Journal,
“The use of technology and data sharing are essential for improving the level of care that can be provided to patients, yet both introduce new risks to the confidentiality, integrity, and availability of healthcare data. While policies are being introduced to encourage the use of technology and improve interoperability, it is also essential for cybersecurity measures to be implemented to protect patient data. Any policy recommendations must also include security requirements.”
Today, healthcare organizations that comply with HIPAA rules have met the minimum standards for security and healthcare data privacy as determined by the HHS. Unfortunately, simply being HIPAA-compliant does not mean a company is adequately protected against cyber attacks.
Organizations who want to ensure their patients’ electronic protected health information is safe have to go a few steps further.
10 Steps for Maintaining HIPAA Compliance and Digital Security
When it comes to cybersecurity, the healthcare industry has been slow to adjust. In many ways, it has lagged far behind other sectors in adopting robust cybersecurity controls. Today, though, organizations are beginning to pursue new technologies and investing in new ways to keep patient data safe.
Fortunately, the steps to create solid cybersecurity for healthcare organizations are not outlandish.
In fact, HealthcareIT recommends organizations simply take the following steps:
- Establish a culture of security
- Protect all mobile devices
- Maintain good computer habits - both on and off campus
- Use firewalls
- Install and maintain high-quality antivirus software
- Expect (and plan for) the unexpected
- Control access to sensitive information
- Limit network access
- Use strong passwords and change them on a regular basis
- Control physical access to devices
Let's review each of these steps in detail.
1. Establish a Culture of Security
In our modern cybersecurity environment, security needs to be a lifestyle rather than just a pastime. To be truly secure, every branch of an organization needs to work toward maintaining proper data privacy and security measures. As the threat landscape continues to evolve, even falling behind slightly could lead to a massive data breach.
In the healthcare industry, specifically, which is highly targeted, it’s essential to create a culture of security and knowledge.
Instead of focusing on cybersecurity in a sporadic, disjointed way, modern cybersecurity experts recommend taking a holistic, managerial approach to the process. In addition to reviewing ways to apply data to solve current problems, smart organizations also need to focus on areas they can plan to address in the future.
2. Protect all Mobile Devices
Mobile devices are an intractable part of our world. They serve a critical purpose. By allowing us to access data from any location, they’re an excellent tool for cost savings and are vital for remote workers who need access to a patient's health information to do their jobs.
Unfortunately, mobile devices also introduce a whole host of security risks. Something as simple as a stolen device can easily be used to hack into the email accounts and contacts of top leaders or to steal sensitive information stored on said device.
In a "BYOD" (bring your own device) world, finding ways to encrypt and decrypt materials is essential. This guideline pertains specifically to tools used by authorized users. For these devices to be safe and compliant, they must have a functionality designed to encrypt messages when they are beyond an internal firewall server. They must also be able to decrypt those messages when they are perceived.
If you’d like to secure the mobile devices for your organization, follow this guideline issued by NIST/NCCoE on mobile device security:
3. Maintain good computer habits—both on- and off-campus
When it comes to HIPAA security, the simplest things can make a massive difference. Simply logging out of accounts, for example, and establishing secure, variable passwords can go a long way toward protecting accounts.
This is another place where enabling encryption becomes a significant consideration. Things like firewalls and secure user authentication on every device are excellent and simple-to-implement protections that can save your organization a massive headache down the road. You may also want to look into technologies that can remotely lock or wipe the apps and software programs on your computer.
Foundationally, though, you’ll want to stress the importance for employees of always maintaining possession of their computers both on and off-campus. This means never walking away from a logged-in account of life screen, enabling security precautions, and always seeking to improve security.
Here are a few other computer “hygiene” habits to abide by:
- Uninstall all software that is not critical to your practice, including photo-sharing tools and games
- Think twice about accepting “standard” configurations when installing your software
- Find out whether your EHR vendors maintain an open-door connection to your installed software
- Disable remote file sharing and remote printing within your OS configuration
4. Use Firewalls
While HIPAA regulations never mention the word “firewall,” using them is a critical way to remain compliant. Physical firewall devices allow you to protect yourself and your organization and save costs down the road.
Comparatively, firewalls are a simple technology. Functionally, though, they provide the first line of defense for you and your practice. As the name would indicate, firewalls serve as a robust wall around your organization.
When you install a firewall, essentially, you build a system between your computer and the internet, which protects your internal systems from attacks. According to HealthIT.gov:
A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside (either from the internet or from a local network) and determine, according to predetermined criteria, whether the message should be allowed in.
5. Install and maintain high-quality antivirus software
Antivirus software is another fix that seems misleadingly simple but can make a massive difference for you and your organization.
The reason is simple: the easiest way for hackers to attack office computers is to issue viruses that exploit the vulnerabilities in your system. These vulnerabilities can take down even an advanced machine with all the latest security updates.
If you’ve ever noticed symptoms like systems that won’t start normally or systems that crash for no reason, you’ve probably interacted with the aftermath of a virus.
To avoid this, teams need to install powerful antivirus software. Affordable, well-tested- reliable, and easy to access, antivirus software works behind the scenes to combat infections, prevent stolen data, and keep your computers up and running.
6. Expect (and plan for) the unexpected
No matter how diligent you are about cybersecurity, you can’t plan for everything. Because of this, it’s essential to leave some room in your approach for the unexpected. This could include everything from hacker attacks to natural disasters like fires, floods, hurricanes, and earthquakes, which threaten your healthcare records and other vital assets.
With this in mind, take a two-step approach: create backups and develop a recovery plan. While creating backups seems like a common-sense initiative, it’s relatively uncommon in the small practice environment.
It’s not enough to create your backups, though - you must also ensure that the medium used to store your backup data is safe and cannot be wiped out by the same disaster or hacking attack that would take down your office systems.
With this in mind, look for reusable types of backup media that can be protected with the same kind of access controls as you other backup solutions.
Secondly, conduct ample recovery planning so that when an emergency occurs, you know what your procedure should be. No matter what solution you choose, your organization must be able to access the backups and restore system functionality. This means the backups should be not only secure but relatively intuitive and straightforward to operate.
7. Control access to sensitive information
According to HIPAA guidelines, any health care provider, health plan, or health care clearinghouse that transmits health information via electronic formats is considered a “covered entity,” and must comply with HIPAA rules, accordingly, especially when it comes to protected health information.
According to HealthIT.gov:
The HIPAA Rules define “protected health information” (PHI) as all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or oral. Generally, “individually identifiable health information” is information that relates to an individual’s health and that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
While there are many ways to protect access to sensitive information, user control is essential. In an effective access control system, users get certain rights based on their ability to access the data within the system. To facilitate this, EHR systems are configured to allow limited access where appropriate. On a manual note, setting file access permissions can also be done manually, by establishing role-based access control.
8. Limit network access
Today, flexibility and ease of use go a long way. These elements are just part of what makes networking tools so appealing to health organizations today. Unfortunately, they're also a double-edged sword. Because healthcare information is so sensitive, teams must be mindful of how these hyper-simple network tools may allow outside access to files and more.
This means that devices that enter the practice though visitors should not be permitted access to the network, since conducting a full security vetting on them is impossible. Additionally, teams should check that all peer-to-peer applications have received administrative review and approval and that they contain no exploitable bits of code.
9. Use strong passwords and change them regularly
Passwords are a functional element with a critical purpose. Unfortunately, you defeat the purpose of passwords when you reuse the same one over and over again on your network, or when you keep the same password for ten years. To keep your system secure, dedicate yourself to creating strong passwords. The definition of a strong password is as follows
- One that does not contain words found in the dictionary, even if you alter it slightly
- Passwords that don’t include personal information like you rebirth date, family names, pet names, or anything else that outsiders could learn easily
- Passwords should be at least eight characters in length and should include a combination of upper and lowercase letters, numbers, and characters
Once you’ve come up with strong passwords, make your system even harder to crack by changing passwords frequently.
10. Control physical access to devices
While you must secure access to material information like files, you must also obtain access to digital assets, like your computers and devices.
Fortunately, this is a simple process. Start by limiting physical access and storing machines in locked rooms, being mindful of who you distribute physical keys to, and prohibiting team members form removing devices from the secure area.
While the healthcare industry increasingly relies on internet connected technology, cybersecurity becomes more and more important. By implementing the ten tips above and following the HIPAA requirements, healthcare organizations can protect their data and ensure security for years to come.
For many healthcare organizations, it’s also wise to invest in cybersecurity management software to manage any of your frameworks.
Learn how you can simplify management of your HIPAA program today.