Blog: How to Fortify Cybersecurity for Health IT
Updated: Nov 17, 2020
(Written for Change Healthcare)
Cybercriminals are increasingly savvy and sophisticated. The long list of concerning breaches of healthcare data proves that health systems are a tempting target for hackers because they are the custodians of protected health information (PHI), a valuable resource that criminals can use to enable identity theft. Staying ahead of the threat requires a concerted corporate effort. Here are a few measures of paramount importance.
Establish a Security Culture
For sensitive healthcare data to remain secure, everyone needs to be “all in” on cybersecurity. It is a business imperative that leaders rally around data security as a corporate value. Documenting the corporate commitment to security via appropriate procedures is a great first step. And, in order to stay ahead of potential threats, security should be part of the strategic plan and budgeting process—with tactics, staff, and appropriate funds attached to it.
Protect Mobile Devices
Mobile devices are increasingly being used in healthcare. In a recent survey of global healthcare IT decision-makers, 90% noted that their healthcare organization was implementing or is planning to implement a mobile device initiative. While increased use of mobile devices has been linked to increased patient satisfaction and staff productivity, this outcome does not come without concerns. Data encryption and HIPAA compliance issues are at the top of the list.
A mobile device management system (MDMS) is necessary for administration and compliance but over half of the surveyed IT leaders expressed concern that their current MDMS didn’t provide sufficient security. One tactic that companies are using to mitigate risks is an add-on system for mobile content management, which provides secure file-sharing while also acting as an authentication tool. Another emerging solution is an all-in-one enterprise mobility management system.
Keep Software and Operating Systems Up-to-date
A lax approach to software updates and security patches exposes organizations to unnecessary threats. Software updates are a signal to everyone—both users and hackers—that there are vulnerabilities with the previous version which can be exploited.
If issues with data security were not enough, outdated operating systems on medical equipment can severely impair a healthcare’s system ability to delivery quality care. For example, if an MRI machine was compromised with a virus, it could result in delayed diagnoses. What’s more, if the device is network-enabled, hackers may use it as a way into the larger system.
Best practices are to develop a proactive plan for software updates for all applicable systems including desktop, mobile, and IoT devices. Anti-virus software, as long as it’s up-to-date, can help identify potential issues. It is also key to ensure that software is not installed by staff before receiving approval.
Plan for an Inevitable Breach
As attacks grow more sophisticated, the best strategy is to plan for the inevitability of a breach while also working to prevent it. Simple compliance doesn’t ensure data security. Ongoing risk assessments are necessary to identify and address possible entry points and security gaps in organizational systems, processes, and equipment.
A comprehensive mitigation and recovery plan should outline how the organization will attempt recovery of the lost information, and provide the required notification to affected individuals and others. The goal will be to demonstrate publicly that the data loss is being handled responsibly and appropriately.
Periodic Staff Training
All individuals associated with the healthcare system—providers, staff, volunteers, and vendors—should receive periodic security awareness training. The best practice is to use real-life hacking and phishing examples. Some organizations actively phish their employees as a teaching tool. Staff also need to understand the process for reporting suspect behavior.
Use Trusted Partners who make Security a Priority
A chain is only as strong as its weakest link. While this can relate to team members, it is also applicable to the partners you introduce into your healthcare system. Software and devices should support your organization’s commitment to protect PHI and other confidential information.
Change Healthcare is committed to the privacy and security of healthcare data and meets or exceeds HIPAA Privacy and Security Rule requirements. To learn more how Enterprise Medical Imaging Solutions can improve efficiency and patient experience within your radiology group, contact Change Healthcare.