Cybersecurity continues to be a major concern for healthcare organizations. Because of the sensitivity of the information they keep, hospitals are becoming a chosen target of cybercriminals. Cyberattacks are no longer a matter of “if” but “when.” The threat was top of mind when healthcare security leaders gathered in Chicago in September at the annual Health IT and Revenue Cycle Conference put on by Becker’s Hospital Review. Here are some strategies and best practice guidelines they shared.
Many in attendance argued that security is an organizational concern, not just an IT problem anymore. That means that all of an organization’s people, processes, and technologies must be mobilized to tackle security issues and to stay compliant.
Single Sign-on Boosts Security
Password user authentication and access are vital in terms of security. Maintaining a role-based security and multi-factor password protection system can be helpful. But even more beneficial is a single-sign-on system, as users are not required to remember multiple passwords and log into multiple systems separately. Many executives also urged investment in “password-less” authentication systems. Much research currently focuses on improving user authentication based on physiological and behavioral biometrics.
Many organizations are investing heavily in the training of staff to repel the various cyberattack strategies being used. One such strategy is phishing, in which a recipient unwittingly opens a link from an unknown source. Many organizations have started to include a notification on emails coming from outside the organization and to heighten awareness of employees before they open any link.
Device Encryption Essential
As more and more devices are enabled to operate on a network and store health information, encryption of such devices has become essential to help avoid consequences in the event of theft or loss of the devices. It is also a best practice to check with IT or security compliance staff before purchasing clinical or non-clinical devices to be certain they meet security and compliance requirements.
Use of outdated systems is another big risk leading to cyberattacks. It is crucial to upgrade system and software patches on a regular basis to help avoid cyberattacks. It is noteworthy that Microsoft will not support Windows 7 after January 2020 and will not upgrade security patches, leaving user organizations susceptible to cyberattacks. It is also recommended that healthcare organizations invest in updated infrastructure that can block malware from entering the system and monitor any unusual activity on the network.
BAA Audits Enhance Compliance
Healthcare entities are required not only to monitor the data coming into their organizations but also to be vigilant about the data that is going out.Business Associate Agreements with vendors must include compliance with HIPAA regulations in the handling of Protected Health Information (PHI). Because failure of a vendor to be in compliance can affect a health organization negatively, many organizations have introduced regular third-party auditing of their BAA agreements for compliance.
In addition, organizations are developing proactive strategies to avoid cyberattack, such as performing penetration test once a year. Penetration testing can determine how vulnerable to cyberattack an organization’s security is and can suggest ways to improve the security standards of an organization.
It is important that an organization trying to avoid cyberattacks involve compliance and risk assessment personnel across the organization. And should such an attack occur, it is a best practice to have in place policies and procedures to deal with it in a manner that will minimize the damage.