Security awareness has never been more critical to the healthcare industry than it is, and the one thing that is top of mind is how to improve cybersecurity in healthcare. With the rapid increase in data breaches and the depth and breadth of access gained in those incidents, improving cybersecurity should be a priority for every healthcare administrator. Compliance with the Health Insurance Portability and Accountability Act (HIPAA) requires a minimum standard level of cybersecurity practices, but based on available data, more than compliance with HIPAA is required.
To look at just a snapshot in time, the U.S. Department of Health and Human Services reported 11 million people had their protected health information compromised due to a data breach in the first quarter of 2021. Notably, that's an increase of nearly 500% over the same period in the prior year. In December of 2022, approximately 2.5 million records were listed as compromised from breaches occurring at healthcare providers and associated businesses.
The two most common categories of breaches are hacking incidents and unauthorized access. The Department of Health and Human Services has developed a checklist to ensure that healthcare organizations take their information security seriously. We'll review their recommendations before adding some of our best practices to show you how to improve cybersecurity in your healthcare organization.
HHS and Health Sector Cybersecurity Coordination Center Tips
Assess Your Security Posture
Before meaningful change can be achieved, you must determine where you stand, which is essential to understanding how to improve cybersecurity in healthcare. That involves taking stock of your IT assets, including servers, desktops, mobile devices, and even internet-connected medical devices. This evaluation should leave you with a clear picture of where any gaps in your cyber security plan may be.
Continuously Scan for Vulnerabilities
Network and software intrusion both frequently result in strange behavior. Having your staff recognize and report such activity is a key part of ongoing monitoring. You can also supplement this with automated vulnerability and threat scanning technology offered by the Cybersecurity and Infrastructure Security Agency.
Ensure Clear Lines of Responsibility
This is an effective leadership tool and has a place in cybersecurity. Where cyber risk is identified, you must also pinpoint who is responsible within your enterprise for managing that risk. This strengthens accountability and lessens the chance that risks end up overlooked.
Continue to Assess Gaps in Security Controls
Much like third party risk assessments are an initial phase of vendor risk management yet also hold a critical place in ongoing monitoring, security assessments are an integral feature of any cyber security program. The goal is to locate and address any gaps that develop before they can be exploited. As these gaps may crop up due to changes in your operations elsewhere, these assessments must become a frequent feature of your program.
Track Program Metrics
Whether you're thinking of employee training or device security, these key metrics must be tracked and reported to management and other stakeholders. This verifies that the steps you've implemented are progressing in line with your designed program and can help identify areas of improvement if some metrics lag behind.
Implement Incident Response Plans
We highlighted earlier how prevalent data breaches are, especially in the healthcare industry, so the importance of having an incident response plan cannot be overstated. All enterprise segments should have input and involvement in developing your response and recovery planning, as a security incident can affect everything from public relations to patient care and human resources. Developing and implementing the plan are not enough; tabletop exercises can be a fantastic tool for bringing your team together to improve cybersecurity.
Best Practices to Improve Cybersecurity in Healthcare
That was already a fairly comprehensive list, but we have a few more suggestions to elevate your cybersecurity posture truly.
For both operating systems and software, regularly checking for updates and patches and installing them will allow you to close known vulnerabilities that have been identified by the developer. This should be applied across all of your IT assets. Mobile device management software can be a force multiplier by allowing you to track, monitor, and secure your mobile devices from one interface.
Control Physical Access
Physical access must be restricted to any place that houses protected health information. Still, you also need to restrict physical access to areas where sensitive devices may be located. Server rooms, offices, and other areas where unauthorized access to terminals or mobile devices could occur must be secured to prevent outright theft, among other possibilities.
The first step in understanding how to improve cybersecurity in healthcare is to assess user password security profiles. All devices must be secured with a password, and each system should require unique login credentials for every employee. This holds true when the system contains electronic health records or other items subject to HIPAA. Multifactor authentication is strongly encouraged, and providing your staff with a password manager application can be a secure way to store their credentials and increase compliance with your cybersecurity rules.
Provide Regular Training
We touched on the importance of tabletop exercises and the like, but regular training for other events is equally as important. Social engineering is one of the most common attack vectors for cybercriminals. Your personnel can better detect those attempts when they have seen real-world, concrete examples of an attempt in practice. It is even more effective if they experience such an attempt firsthand in a controlled environment.
Aside from those training scenarios, frequent reminders or scheduled training blocks can serve as additional ongoing training. It's critical that everyone from the C-suite down experiences this training, and having your executive staff take an active role can do wonders for illustrating your organization's commitment to improving enterprise cybersecurity.
Encrypt Sensitive Data
Any place where protected health information or electronic health records are stored must be encrypted. Combined with the password recommendations above, this gives you the best chance to secure sensitive data. Encryption should also be applied to mobile devices to protect data should they be lost or stolen.
Protect Connected Medical Devices
We mentioned the added security threats of connected medical devices before, and we have a few strategies to secure them better. Create a separate, segregated network for these devices only. Prevent any of these devices from initiating any sort of network connection. Also, you must implement access control procedures for these devices.
When speaking of how to improve cybersecurity in healthcare, we'd be remiss if we failed to touch upon the importance of a robust vendor risk management program. Your data is no less compromised if the attacker gains access to your systems through one of your vendors or obtains the data directly through them. At Venture Lynk Risk Management, we specialize in many forms of risk management, and third-party vendor management is one of our areas of expertise. Servicing clients of all sizes across numerous high-risk industries, we can offer you a completely customized risk management program as whole or various individual services. Contact us today to see how we can help you.