Healthcare Technology Featured Article

August 10, 2016

What Hospitals Need to Know About Managing Cyber Security Risk and Response

American businesses are coming under increasingly frequent cyber attacks. These cyber attackers are often after private data, which makes safeguarding hospital data critically important. While traditional companies can employ business intelligence data, hospitals need to take a different plan of attack when protecting their IT infrastructure. There are fortunately a variety of measures that hospital IT support staff can take to ensure that they move beyond simple compliance, relying on insurance and properly securing their IT systems.

Cyber Security and Hospitals

Healthcare IT departments do have safeguards and controls in place to counter cyber threats. But don't just think that your HIPAA compliance will keep you secure during a cyber attack. HIPAA is only the bare minimum when it comes to security controls. Keep in mind that the original HIPAA security rule was created in August of 1998 and modified slightly in 2003. So a hospital that is HIPAA compliant is really complying with a standard written back in the late 1990s. But that doesn't help much in the present day world of cyber security. Here are some of the evolving threats that a hospital administrator has to contend with:

  • Phishing
  • Social engineering
  • Cloud file sharing
  • Port vulnerabilities
  • Telemedicine / teleradiology

None of these words appear in the HIPAA security rules, nor do they appear in some of the tools that the government uses to assess or audit HIPAA compliance. These words represent threats and risks in the present day cyber realm, so we need to take a different stance. You can start by taking an integrity check of your firewall. Tweak your filtering rules to regulate the kinds of data you're letting in and the kind of data going out of your healthcare infrastructure. Router filters can blacklist and whitelist IP addresses, URLs, domains, geographic locations and email addresses. Any resource that needs explicit approval can be added to an organization's whitelist.

Develop a Cyber Security Plan

When you first start developing a cyber security plan for your hospital, it's crucial as a first step to identify where exactly the risks are. By knowing where the risk resides, you can begin to see the weak points where you're vulnerable. A good cyber security risk analysis identifies threats based upon your hospital's particular applications and network topology. Your response team will need to assess the controls that your organization has in place to rectify any malicious intrusions. As a hospital IT administrator, you want to look at the reported breaches and uncover the root vulnerability that made the breach possible.

Strong Passwords

Passwords are the most common tool used by healthcare organizations to authenticate their users. The first message that hospital IT staff need to get out to the hospital staff is that they need to strengthen their passwords. Staff should also be encouraged to use two-factor authentication. This will require them to have a trusted device with them (like their smartphone) in order to log in to the hospital's network of machines.

Be Careful With Apps

Many people don't realize that plenty of apps can read your contacts. Since most people have geolocation turned on, the purveyors of these apps will know exactly where you are. To help make sure your workers aren't being unnecessarily targeted, clear instructions should be posted to them regarding how to turn off the geolocation on their smartphones.

Mobile device management software can monitor your workers' devices for any malicious code. Hospital staff often likes to browse the web or access their personal e-mails. These are personal activities that don't require access to the hospital's network infrastructure. Personal browsing of this sort should be done using the worker's own smartphone (or tablet) over a separate guest wireless network that is open to the Internet but not your hospital's network.

Edited by Alicia Young

FREE eNewsletter

Click here to receive your targeted Healthcare Technology Community eNewsletter.
[Subscribe Now]