9 Ways To Improve Cybersecurity In Healthcare
Modern healthcare is deeply intertwined with technology. From the sophisticated machines used for diagnosing disease to the enterprise systems that store patient records, it’s extremely difficult to run any healthcare organization today without heavily relying on information technology. But as with every other industry, the opportunities that come with IT are not without their risks—the biggest of these risks is cybersecurity threats. Data corruption, unauthorized system access and malware infection, are some of the things you have to keep tabs on as a healthcare IT or healthcare management professional. The following tips are vital in getting your healthcare systems’ cybersecurity up to speed.
1. Cybersecurity Training for Staff
It’s great to have robust technical controls that make it harder for unauthorized persons to gain access to your systems. However, your security is only as good as its weakest link—and that weakest link is the end user. Social engineering tactics such as phishing and spoofing seek to circumvent your system controls by taking advantage of the lack of security awareness of users. Mandatory cybersecurity training ensures that all employees know what their role is in keeping the organization’s systems and data secure. It keeps them conscious of the most common cyber attack tactics and what they can do to make sure such attacks do not succeed.
2. Apply Software Updates Promptly
The cybersecurity threat environment is constantly evolving. That and the fact that no system can be 100 percent perfect is the reason software developers regularly release updates for their applications. Any delay in applying these patches to your systems leaves you vulnerable to opportunistic attacks. Remember, most successful system hacks are due to the exploitation of known security loopholes. Many hackers will go through recently published lists of system vulnerabilities then scan the internet for systems that haven’t applied the patches needed to fix these gaps. Ideally, you should allow your system to check for and apply system updates automatically. Where this isn’t feasible, develop a manual technique that utilizes calendar reminders (for instance, you could check for and apply updates every Saturday).
3. Implement already proven cyber-security technologies
When developing cyber-security part of your product, you should rely on already proven solutions, which have been designed by cyber-security experts. Cyber-security is hard and sometimes contra-intuitive, using validated technology. This helps you to avoid any critical mistakes, and also fasten the development process. Modern cyber-security technologies enable you to implement an instant security layer into your applications or medical devices just by adding a security library.
To point some examples: when developing mobile application in healthcare, implementing MediCat’s data protection in the development phase of your applications requires almost no additional work and yet it adds a massive amount of security almost instantly.
4. Controlled System Access
When many of us think of hacking, what comes to mind is individuals huddled in dark underground rooms relentlessly trying to penetrate and decrypt the back end of your systems. In reality though, most successful attacks will involve entry through your system’s front door i.e. using the credentials of an authorized user. System access controls should begin by defining the role of each employee in the organization. The human resources department should already have this information. It is on this premise that you can then grant each employee the system privileges they need to execute their job effectively. For instance, persons working in a hospital’s pharmacy don’t need to see the patient’s history of illness. Promptly revoke system access for employees who leave the organization.
5. Discourage the Use of One Password for All Systems
The average adult is a user on about a dozen different platforms. From the systems they use at work to the ones they access during their leisure time, it can be understandably difficult to keep track of all these passwords. Some people in the healthcare industry opt to have just one password for not just the online banking system and social media account but also the patient record systems they use. Worse still, some will indicate the name and address of their employer on their social media profiles. Ergo, when an attacker successful unearths the person’s social media password, they have all the information they need to know where else the same password may be used. To prevent this, healthcare organizations should force employees to change their passwords every 3 months.
6. Regular Risk Assessment
Think about the office environment in the early 1990s and the workplace today. While the core concept of certain businesses and professions has remained the same over the past 30 years, a lot has changed. If an office worker from 1990 could time travel to 2019, they’d struggle to fit in and need to drastically change their mindset. This may be an extreme example but it is a fitting illustration of how organizations must evolve to keep up with changes to their operating environment. It’s not too different when you think about cybersecurity in healthcare. As technology, processes and procedures continue to evolve, the risks do so too. Performing a technology risk assessment at least once a year allows you to catch these new threats before they are exploited by third parties.
7. Security In Depth
No maker of security software offers a 100 percent guarantee on the effectiveness of their application in preventing hacks. That’s why you must have several layers of security. If an attacker successfully circumvents one, they’ll still be unable to access your data. For example, a firewall, an antivirus and a whitelist of approved application all play a role in keeping intruders off of your network. It’s not too different to the multiple forms of security you put in place for your own home such as outdoor lighting, door locks, home alarms, security cameras, guard dogs and security guards.
8. Data Recovery
Some cyberattacks seek to steal confidential data. Others such as a DDoS and a virus infection are little more than disruptive. But though a DDoS or a malware infection may not overtly seek to steal information, they can corrupt your data and render it unusable. Data loss is far worse than unauthorized data access. It not only damages your reputation in the same way as hackers gaining access to patient data does but it can also completely cripple your operations. You need to have in place an elaborate data recovery mechanism that will ensure your data is intact in the event that the information in your production systems is rendered permanently unusable. At the minimum, you should backup your most important systems on a daily basis and keep the backups at a remote location.
9. Protect Mobile Gadgets
Laptops, smartphones, tablets, portable storage devices and other mobile devices have opened a whole new world of possibilities in the collection, transmission and retrieval of electronic health records. But while this convenience is welcome, it has also created a new kind of threat to the confidentiality of health records. Due to their mobility and rising capacity, these devices are easier to steal than the traditional desktop computer. Smartphones’ internal memory now routinely exceed 32GB making it possible for these gadgets to house an enormous amount of sensitive data. Best practice is to keep all sensitive health data away from mobile devices. Where committing such data to a mobile device is absolutely necessary, the data should be encrypted.
Securing the data of a healthcare services provider takes extensive business knowledge, meticulous planning and deep technical knowhow. The above tips are vital if healthcare organizations are to stave off the threats of data theft and data loss.
Most Recent Articles
You Might Be Interested in Reading These Articles
Data masking (or suppression) represents the de fact standard of pseudonymisation. Pseudonymisation is a critical part of GDPR compliance although there are no explicit GDPR pseudonymisation requirements. The regulation vaguely states that businesses must enforce safeguards and security measures to protect all consumer data that they handle. The GDPR refers to pseudonymization and encryption as “appropriate technical and organizational measures.
Published on June 11, 2018
The year 2018 will, at least in Europe, be a turning point for data privacy and personal information protection. In this article, I will focus on personal data processing. I describe methods of de-identification of personal data, such as pseudonymization, anonymization, and encryption.
Published on November 28, 2017