Cybersecurity in the Healthcare Industry More Important Than Ever Before
In the past year, more companies have moved their operations
online and have provided more remote workforce options than ever before. In the
spring of 2021, with a goal of being even more strategic in anticipating the
many challenges ahead, NIST has identified priority areas for the next several
years.
For example, they are working to enhance risk management initiatives and seek public comment on the Cybersecurity Framework (CSF) - including how it is being used and how it can be improved. Other priority areas that continue to be of utmost importance in the healthcare industry include:
- Cybersecurity awareness
- Training and education
- Workforce development
- Identity and access management
- Security emerging technologies
Let's review the cybersecurity imperatives while we
anticipate the updates to the CSF.
Cybersecurity "Imperatives"
According to the Healthcare Industry Cybersecurity Task
Force, "Cybersecurity is a key public health concern that needs immediate and
aggressive attention." Whether through culture shifts and increased
communication to and from leadership, or changes in the way healthcare
professionals perform their duties in the clinical environment, it is important
to prioritize cybersecurity within the healthcare industry.
The Task Force identified six high-level imperatives to help them organize recommendations and action items. The Task Force Imperatives are:
- Define and streamline leadership, governess, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capacities.
- Increase healthcare industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
What can your organization do to make Cybersecurity a priority?
Compliance experts at HCP have put together the following six recommendations that can be implemented immediately to aggressively prevent cyberattacks:
1. Batten
down the hatches
According to the Department of Health and Human Services
(HHS), "HIPAA requires organizations that handle protected health
information to regularly review the administrative, physical and technical
safeguards they have in place to protect the security of the information."
For example, to protect your data from malicious software it is important
for systems to be up to date with patches and updates. It is important to
install anti-virus software that performs regular scans and updates. You
may also consider installing anti-spyware and anti-adware that performs
regular scans and updates.
2. Know
your devices
Anyone who has performed a Security Risk Analysis (SRA)
with us knows we ask about your inventory. Do you know all of your devices
(or employee-owned devices) that are permitted to access electronically protected
health information (ePHI)? It is especially important to maintain a comprehensive
listing of an organization's IT assets with corresponding descriptive
information, such as data regarding the identification of the asset (e.g.,
vendor, asset type, asset name/number), version of the asset (e.g.,
application or OS version), and asset assignment (e.g., the person accountable
for the asset, location of the asset).
3. Encourage the use of strong passwords
Weak passwords continue to be a threat to data in the healthcare industry. Eliminate the use of weak passwords by using a combination of letters, numbers, and special characters that are case sensitive and at least 8 characters in length. It is important to remember that passwords should never be shared with anyone or written down and should not contain information that would be easy to presume.4. Identify deficiencies
What are potential threats and vulnerabilities that pose a risk to your information? It is important to perform continuous monitoring of your organization to ensure policies and procedures are being followed. HCP's HIPAA Virtual Walkthrough and Security Risk Analysis (SRA) will help identify deficiencies and ensure you have a plan in place to prevent impermissible use or loss of your information.5. Make
improvements
As part of our Security Risk Analysis, compliance experts at HCP will create a corrective action plan for your organization.
This powerful tool will help in proactively preventing cybercriminals from attacking your organization. While some corrective action measures should be made immediately, others can be made over time. High-risk impact and likelihood deficiencies should be addressed first, while lower-risk deficiencies can be addressed throughout the year. For example, if you identified
data backups that are being stored in an unlocked room or on unencrypted
hard drives, you would want to take immediate action to implement measures
to prevent access to the data.
6. Be
on the lookout
Cybercriminals are targeting the healthcare industry now more than ever before. We recommend training your employees on how to avoid phishing attacks and other threats and vulnerabilities. Our "Cyber Security Awareness
Training" located in the HCP Course Library would be a great resource for any healthcare organization. Remember, it is much easier to prevent an incident from happening than it is to mitigate a breach once it has occurred.
HCP Can Help
Whether you need help training your employees or developing
policies to prevent cyber-attacks, HCP compliance experts can provide tools and
expertise to help your organization aggressively prevent cyberattacks.
If you have any questions, feel free to reach us by email
at support@hcp.md or
by phone at 855-427-0427.
Not a current HCP client? Schedule a free consultation.