6 Ways Healthcare Facilities Can Address Cybersecurity Threats
Healthcare institutions are responsible not only for the physical health of patients but for their personal data. The Health Insurance Portability and Accountability Act requires facilities to guard the confidentiality of protected health information, which includes contact information as well as medical records, and imposes penalties on entities that fail to do so. Data breaches can be costly not only in terms of fines and reparations to affected patients but to reputation.
Not only that, but a cyberattack can also affect doctors’ and hospitals’ ability to provide care to patients. Like almost every other industry, health care facilities now rely heavily on computers and other internet-connected devices. While these are convenient, they also increase vulnerability to cyberattack. The last few years have seen the rise of ransomware, a type of malicious software that encrypts all the records in a system with a message that the creator of the malware will only reverse the encryption upon receiving a hefty payment. With the system inaccessible, it becomes difficult, if not impossible, for doctors to perform imaging studies and surgeries, even on critically ill patients.
Cybersecurity for healthcare facilities is therefore a life-and-death matter. While 92% of organizations that operate such facilities are confident in their ability to respond appropriately to an online attack, it never hurts to perform an audit and look for ways to improve.
1. Control Access to PHI
No one should have the ability to view protected health information unless he or she has a reason to see it. Therefore, access in the form of passwords and clearance should never be provided to unauthorized personnel. Systems should have different types of authentication in place to prevent unauthorized access from either inside or outside the facility, whether on purpose or by accident.
2. Protect Connected Devices
Any portable electronic device used to store, access, or share patient information with authorized personnel should be carefully protected, including devices such as tablets, smartphones, and laptops. This means cybersecurity measures, such as antivirus software and firewalls, but it also involves physical safeguards. For example, all such devices should be password protected and encrypted in case they fall into the wrong hands.
3. Use Strong Passwords
People often create weak passwords, or just keep the defaults, because they are easier to remember. However, these are easier for unauthorized personnel to figure out. Therefore, they do not provide adequate protection. Employees of a healthcare facility should receive instruction on how to create a strong password, what to do with the password once created, and how often to switch to a new password. Weak passwords are responsible for over half of all healthcare data breaches.
4. Maintain Antivirus Software
Those who launch cyberattacks are always looking for vulnerabilities in antivirus software that they can exploit. Therefore, the software is not something that a healthcare facility can just install once and then forget about. To provide adequate protection, it requires occasional updates so that it is ready to meet and defend against the most recent threats.
5. Prepare for the Unexpected
Despite the best efforts of the facility’s management and staff, data breaches and other cyberattacks may happen occasionally. Health care organizations can mitigate the damage done by backing up all files and records in a system separate from the main network in case of a ransomware attack. This means that the information will be accessible and patients can receive the care they need when they need it.
6. Limit Network Access
Do not allow just anyone to install applications or software on computers and other devices connected to the system. Require that they receive the permission from the proper organizational authorities first.
Rarely, if ever, do health care employees or management intentionally cause a data breach or leave the system vulnerable to cyberattack. Rather, it is the result of thoughtlessness or carelessness. Nevertheless, the consequences are significant for the patients and the facility alike. Facilities should be diligent about fostering a culture of security among all staff members.