All of us by now have seen the news reports of cyber attacks against organizations as wide-ranging as nationwide utility infrastructures, Yahoo, Equifax, the Pentagon – and, unfortunately, many healthcare organizations. Healthcare providers may believe that if they are small and low-profile, they will escape the attention of the “bad guys” who are running these attacks, but you should adopt healthcare IT security best practices immediately if you haven’t yet.
Every day there are new attacks aimed specifically at small to mid-size healthcare organizations (such as doctor’s and dentist’s offices) for the very reason that they are low-profile and less likely to have fully protected themselves. Cybercriminals have been highly successful at penetrating these smaller organizations, and carrying out their larcenous activities while their unfortunate victims are unaware until it is too late.
It is vital to do as much as possible to protect sensitive health information in EHRs. The consequences of a successful cyber attack could be very serious, including loss of patient trust, violations of the Health Insurance Portability and Accountability Act (HIPAA), or even loss of life or of the practice itself. Real-world examples large and small abound. Barely a day goes by that the press does not have reports of the latest cyber attacks, which call into question healthcare IT security best practices every time they happen.
Even though cyber attacks from hackers and other criminals grab a lot of headlines, research indicates that often times, even well-meaning computer users can inadvertently cause a cyber breach. (And, sometimes not so inadvertently.)
But, why is this happening to so many well-intended employee-users?
Answer: Because they fail to follow basic cybersecurity principles. This might be due to lack of training, time pressures, or any of a range of reasons. Yet, following these healthcare IT security best practices can sometimes be just as important and just as basic to patient safety as good hand-washing practice.
This article will discuss the simple best practices that medical offices and healthcare facilities should adopt to reduce the most important threats to the safety of electronic health records. This core set of best practices was developed by cybersecurity and healthcare IT experts to address the unique needs of the small healthcare practice. They are based on a compilation and distillation of cybersecurity best practices, particularly those developed under the auspices of the Information Security Alliance, and HealthcareIT.gov.
Why Should You Be Concerned About Your Cyber Security?
Simply put, cybersecurity is the protection of data and systems in networks that connect to the Internet – and healthcare providers generally aren’t concerned enough about it.
Healthcare cybersecurity applies to any computer or other devices that can transmit electronic health records to another device over a network connection, whether it uses the Internet or some other network.
Use strong passwords and change them regularly.
Passwords are the first line of defense in preventing unauthorized access to any computer. Regardless of the type or operating system, a password should be required to log in and do any work. Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage all but the most determined. In addition, strong passwords, combined with effective access controls, help to prevent casual misuse, for example, staff members pursuing their personal curiosity about a case even though they have no legitimate need for the information.
Strong passwords are ones that are not easily guessed. Since attackers may use automated methods to try to guess a password, it is important to choose a password that does not have characteristics that could make it vulnerable.
Strong passwords should not include:
Remember: if a piece of information is on a social networking site, it should never be used in a password.
Also, under Federal regulations permitting e-prescribing of controlled substances, multi-factor authentication (MFA, or 2FA) must be used.
Let’s now examine a few more key healthcare IT security best practices:
Control Access to Protected Health Information
All health care providers, health plans, and health care clearinghouses that transmit health information in electronic form in connection with a transaction for which the Secretary of HHS has adopted standards under HIPAA are “covered entities” and must comply with the HIPAA Privacy and Security Rules.
The HIPAA Rules define “protected health information” (PHI) as all “individually identifiable health information” held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper or orally.
Generally, “individually identifiable health information” is information that relates to an individual’s health and that identifies an individual or for which there is a reasonable basis to believe can be used to identify an individual.
To minimize the risk to protected health information when effectively setting up EHR systems, we are reminded of the importance of passwords in healthcare IT security best practices. The password, however, is only one half of what makes up a computer user’s credentials. The other half is the user’s identity or username. In most computer systems, these credentials (username and password) are used as part of an access control system in which users are assigned certain rights to access the data within.
This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module), often both are true. In any case, an EHR implementation needs to be configured to grant access to PHI only to people with a need to know it. The need to know is narrowly defined, so EHR systems should be configured carefully to allow the limitation of access in all but the smallest practices.
For many situations in small practices, setting file access permissions may be done manually, using an access control list. This can only be done by someone with administrative rights to the system, which means that this individual must be fully trusted. Prior to setting these permissions, it is important to identify which files should be accessible to which staff members.
Limit Your Medical Facility’s Network Access
Ease of use and flexibility make contemporary networking tools very appealing. Web 2.0
technologies like peer-to-peer file sharing and instant messaging are popular and widely used. Wireless routing is a quick and easy way to set up broadband capability within a home or office
However, because of the sensitivity of healthcare information and the fact that it is
protected by law; tools that might allow outsiders to gain access to a healthcare practice’s network must be used with extreme caution.
Wireless routers that allow a single incoming cable or DSL line to be used by multiple
computers are readily available for less than $100. For the small healthcare practice that intends to rely on wireless networking, special precautions must be taken. Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes.
Since PHI data flowing over the wireless network must be protected by law, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal. When a wireless router is used, it must be set up to operate only in encrypted mode.
Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access.
In configuring a wireless network, each legitimate device must be identified to the router and only those devices permitted access. Peer-to-peer applications, such as file sharing and instant messaging can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed.
Check to make sure these and other peer-to-peer applications have not been installed without explicit review and approval. It is not sufficient to just turn these programs off or uninstall them. A machine containing peer-to-peer applications may have exploitable bits of code that are not removed even when the programs are removed.
A good healthcare IT security policy in this vein is to prohibit staff from installing software without prior approval.
Maintain Good Computer Habits
Medical practitioners are familiar with the importance of healthy habits to maintain
good health and reduce the risk of infection and disease. The same is true for EHR systems:
they must be well-maintained so that they will continue to function properly and reliably
in a manner that respects the importance and the sensitive nature of the data stored within
them. As with any health regimen, simple measures go a long way.
These are only a small handful of healthcare IT security best practices. For more, you can visit HealthcareIT.gov and its article, “10 Best Practices for the Small Healthcare Environment”.
And, what’s good for the goose is good for the gander; meaning, these best practices for healthcare IT security will work for small and large health care-oriented organizations alike.
Securing Patient Data for Healthcare Clients is Our Business
Helping you establish better healthcare cybersecurity best practices is one of the big ways we help today’s medical practitioners secure patient data and stay in business.