In the field of healthcare, information security should be a priority. Regulations abound, and the consequences for failing to secure patients' protected health information and electronic health records are substantial. That's before even considering the civil liability incurred for failures in that security. As of 2015, research showed that a healthcare organization's average data breach cost was more than $2.2 million, and the breach of a third-party vendor cost nearly $1 million.
In the same time frame, research by the Ponemon Institute revealed that 89% of healthcare organizations suffered a breach, and over 50% of those attacks were directly attributed to criminal activity. Criminal cyber attacks increased by 125% between 2010 and 2016, and it stands to reason that those numbers likely exploded since that research was completed. For comparison, RiskBased Security reported 2,645 data breaches in healthcare organizations in 2020 that exposed 37.2 billion electronic health records. In 2021, the incidents increased to 2,932 while the total compromised records fell to 22 billion.
With such an astronomical number of exposed records every year, it's critical to comply with regulatory requirements above and beyond the groundwork laid by HIPAA. HITECH and GDPR are wide-ranging, and there are many local regulations, like CCPA and other state-level consumer privacy protections. Therefore, implementing hospital information security best practices today will help protect your organization from cyber threats.
Health Insurance Portability and Accountability Act Standards
There are two major components of HIPAA: the Security Rule and the Privacy Rule. The HIPAA Privacy Rule is what most people are familiar with as it sets the standards for what protected health information (PHI) can be shared with vendors and other third parties without the patient's consent. The Security Rule governs the guidelines and standards for this PHI's technical, physical, and administrative handling.
These standards are the bare minimum of what is required, and it is in the best interest of all healthcare organizations to take data privacy and security seriously. You can't simply rely on a quality 3rd party assessment and think that satisfies your requirements as to your patient's data. To that end, we've compiled a list of some key hospital information security best practices.
Hospital Cybersecurity Tips
Locate and Identify Vulnerable Data
It's only possible to effectively secure sensitive data if you know what sensitive data you have. It's easy to identify electronic health records and only slightly more difficult to locate PHI. Still, you also have to consider dark data, other regulated data like payment card information that may be retained, and additional data that may be of interest to cybercriminals. You also must consider data retained on mobile devices, medical devices, and other connected devices and the locations and machines where this data is transferred. This important step is the jumping-off point for your entire cyber security posture.
Adjust or Apply Retention Policies
Now that you have located and identified what you need to protect, the next question you should ask is whether you need to retain that information. One of the best ways to avoid a data breach or limit the severity of one is to not hold on to excess data. While some information must be retained for set periods, other data can be purged or transferred to offline encrypted storage locations. Review your data policies, ensure they comply with all regulations, and then verify that you keep one byte of data only as necessary to comply with those regulations and provide patient care.
Classify Data
Your next step is assessing the information you will keep and assigning appropriate risk levels. Each category should be assigned appropriate levels of control to mitigate the data's specific risks. This is where you can leverage technological advancements to lower the strain on your employees. Machine learning can be applied to identify vulnerable data sets, both already present and new data, as it is created and assigned classifications, tag them for review, or apply rules set in place by IT personnel to comply with certain regulations.
Conduct a Risk Assessment
After taking these steps to identify, classify, and isolate your sensitive data, it's time to look at your healthcare organization's risk profile. A thorough risk assessment will help locate areas in need of further security, whether it's conducted by in-house staff or a vendor, and it's imperative to conduct an initial risk assessment and make it one part of your continuous monitoring program.
Focus on Access Control
Access control can be applied to operating systems, mobile devices, medical devices, and connected devices. Every single device, network, or system should require unique credentials to access. To best protect these devices and systems, you must regularly update the operating systems and applications and install patches to prevent the use of known vulnerabilities by an attacker.
Password Management
These passwords should be of sufficient complexity to avoid brute force attacks (i.e., length, special characters, etc.). An emphasis should be placed on using phrases instead of words, and scheduled periods should be set for required password changes. Provide your staff with a password manager to avoid the temptation of writing down and losing passwords. Enforcing strong passwords is one of the top hospital information security best practices that you can employ.
Multifactor Authentication
Multifactor authentication is already required for any e-prescription system. It should also be put in place on any network or device containing PHI, EHRs, or other protected data. You can use text messages to other devices or an authenticator application, but the best practice we recommend is using a physical security key. This ensures that no access is granted without combining the right username and password and the physical key.
Monitor Access to Sensitive Files
With all those access controls in place, it's time to ensure they are working properly. Real-time monitoring, as well as access logging, should be taking place on networks and in files that contain vulnerable data. Random audits should also be conducted to verify that those accessing the data are doing so for authorized purposes.
Implement an Incident Response Plan
We've said it before, and it still holds true that an effective cyber security posture can only be obtained by taking the approach that a data breach is a foregone conclusion. Develop, test, and then implement an incident response plan. Train your employees in the plan, and conduct regular scenarios that force them to implement it. When you provide clear steps to your staff and educate them on the proper use of the plan, you can significantly limit your risk exposure should a breach occur.
Hospital information security best practices are only some of what we provide. Venture Lynk Risk Management is a premier provider of risk management services. We specialize in servicing complex and high-risk industries, but we can provide a risk management solution for any circumstance. Whether you have intellectual property concerns or operational risk issues or are looking for a comprehensive vendor risk management program, we have the tools to help you succeed. Contact us today to see what we can put together for you.
