Cybercriminals are increasingly sophisticated. Many recent, concerning breaches of healthcare data prove that health systems are a tempting target for hackers. Health systems are the custodians of protected health information (PHI), a valuable resource that criminals can use to enable identity theft. Staying ahead of the threat requires a concerted corporate effort. Here are a few measures of paramount importance for enhancing your healthcare IT cybersecurity.
Establish a Culture of Health IT Security
For sensitive healthcare data to remain secure, everyone needs to be “all in” on cybersecurity. Leaders must rally around data security as a corporate value.
Documenting your corporate commitment to security via appropriate procedures is a great first step. To stay ahead of potential threats, you need smart tactics and sufficient staff and funding. Security should be part of both your strategic plan and your budgeting process.
Protect Mobile Devices
Mobile devices are increasingly used in healthcare. In a recent survey of global healthcare IT decision makers, 90% noted that their healthcare organization was implementing or is planning to implement a mobile device initiative. While the use of mobile devices has been linked to increased patient satisfaction and staff productivity, there are some concerns. Data encryption and HIPAA compliance issues are at the top of the list.
A mobile device management system (MDMS) is essential for administration and compliance. Unfortunately, over half of the surveyed IT leaders expressed concern that their current MDMS didn’t provide sufficient security. To mitigate risks, some companies are using an add-on system for mobile content management, which provides secure file-sharing while also acting as an authentication tool. Another emerging solution is an all-in-one enterprise mobility management system.
Keep Software and Operating Systems Current
A lax approach to applying software updates and security patches exposes organizations to unnecessary threats. When software updates are released, they send a signal to everyone—both users and hackers—that there are vulnerabilities within the previous version which can be exploited.
If issues with data security were not enough, running outdated operating systems on medical equipment can severely impair a healthcare’s system ability to deliver quality care. For example, an MRI machine that is compromised with a virus can result in delayed diagnoses. If the compromised device is network-enabled, hackers may use it as a gateway into the larger system.
The best practice is to develop a proactive plan for software updates for all applicable systems, including desktop, mobile, and IoT devices. Updated anti-virus software can help identify potential issues. It is also key to ensure that staff cannot install software on their own before receiving approval.
Plan for an Inevitable Breach
As attacks grow more sophisticated, the best strategy is to plan for the inevitability of a breach while also working to prevent one. Simple compliance doesn’t ensure data security. Ongoing risk assessments are necessary to identify and address possible entry points and security gaps in organizational systems, processes, and equipment.
A comprehensive mitigation and recovery plan should outline how your organization will attempt recovery of the lost information. The plan should detail how you will provide required notification to affected individuals and others. The goal will be to demonstrate publicly that the data loss is being handled responsibly and appropriately.
Periodic Staff Training
All individuals associated with the healthcare system—providers, staff, volunteers, and vendors—should receive periodic security awareness training. The best practice is to use real-life hacking and phishing examples. Some organizations actively phish their employees as a teaching tool. Staff also need to understand the process for reporting suspect behavior.
Use Trusted Partners Who Prioritize Health IT Security
A chain is only as strong as its weakest link. While this saying can relate to team members, it is also applicable to the partners you introduce into your healthcare system. Software and devices should support your organization’s commitment to protect PHI and other confidential information.
Change Healthcare is committed to the security of healthcare data, and our solutions meet or exceed HIPAA Privacy and Security Rule requirements. To learn how our medical imaging consulting team can help mitigate your IT security risks, contact us or request a meeting at HIMSS 2019.