October is Cyber Security Awareness Month, “an annual campaign to raise awareness about the importance of cybersecurity,” in the words of the United States Department of Homeland Security.
And in 2017, cyber security is more important than ever, and across all walks of life — from people of all ages who are increasingly sharing personal information online and via their mobile devices, to the businesses and organizations who engage with those people.
Cyber security is also front-of-mind for leaders throughout the healthcare industry. The move in recent decades to digitalize patient information has led to the era of personally identifiable information (PHI), which in turn has led to federal protection standards such as HIPAA (the Health Insurance Portability and Accountability Act of 1996).
Yet, even with these standards, staying on top of cyber security is also more challenging than ever. Cyber attacks have become increasingly far-reaching and sophisticated in recent years. According to Healio, more than 200 data breaches have been reported at hospitals across the U.S. in the past seven years, “highlighting the increasing frequency of cybersecurity attacks nationwide.”
In April 2017, a JAMA Internal Medicine study of more than 30 hospitals revealed that “each experienced data breaches at least twice since 2009,” according to a news release announcing the study. “At one of those facilities, the data of more than 4 million individuals was compromised.”
“Data breaches negatively impact patients and cause damage to the victim hospital,” lead author and Johns Hopkins assistant professor Ge Bai commented in the news release. “To understand the risk of data breaches is the first step to manage it.”
Health IT Security Tips for Cyber Security Awareness Month
These recent cyber security breaches have alarmed the healthcare industry and the public in general, leading to repeated calls for tougher security — a responsibility shared by “medical device manufacturers, government agencies, health care delivery organizations, health care professionals, and patients” alike, as Suzanne B. Schwartz, M.D., M.B.A. writes in a blog post for the FDA.
“Many medical devices are ‘life critical systems’ — meaning they play a crucial role in monitoring and protecting human life,” Dr. Schwartz adds. “As more and more of these systems use technology to interconnect, we must be dedicated to securing them from hackers and cyber-attacks.”
So much is clear. But how can organizations help prevent cyber security attacks when they’re already struggling with a number of challenges — including, in some cases, the continuing implementation of EHR/EMR and HIPPA adherence?
In a special cyber security awareness infographic, the Healthcare Information and Management Systems Society (HIMSS), offering some advice, including:
- Regularly conducting accurate and thorough risk assessments
- Encrypting data at all levels — at rest, as well as in motion
- Securing all wireless communications
- Educating your workforce about proper actions and decisions
- See HIMSS’ complete list of cyber security tips here.
In another article for Healio, cyber security expert Zuly Gonzalez writes that network segmentation is “the first strategy” healthcare organizations can implement to increase cyber security efforts and protect PHI.
“The idea behind network segmentation is to isolate personally identifiable information and other sensitive data onto a network separate from the network where staff can do potentially dangerous things, such as browse the web and access email,” she points out. “That way if one network is compromised, the data is still secure.
“Remote browser isolation technology is one way of accomplishing network segmentation that doesn't interfere with the user experience, and allows nurses and physicians to still access the patient data they need to provide quality care,” she adds.
Dr. Schwartz also advises paying closer attention to the parties providing your medical device technology. Recommending a “life cycle approach,” for all medical devices that have cyber connectivity, Dr. Schwartz writes that a device manufacturer should “creating, evolving, and maintaining a comprehensive cybersecurity risk management program starting from early product development and extending throughout the product’s lifespan.”
Gonzalez also advocates following “the principle of ‘least privilege,’” the idea of which “is to restrict the access and actions that staff are allowed to perform to only what is necessary for them to perform their duties.
“For example,” she writes, “if a user doesn't need to download files from the web as part of their job responsibility, then there should be a network policy in place that prevents them from doing so.”
All in all, cyber security awareness is growing among America’s healthcare organizations, but, as Dr. Schwartz writes, “there is still work to be done, and we must remain committed to working collaboratively to address our goal of protecting the public health.”
If you’re interested in learning about strategic solutions to help meet your healthcare organization’s long-term goals, we urge you to contact a Staff Care representative to discuss how we can help.
Contact Staff Care