Every kind of medical facility is a potential target for cyber-attacks. The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, requires the protection and confidential handling of protected health information (PHI). This applies to all forms of PHI, including paper, oral, and electronic (ePHI).
In the past few years, hospitals and other health providers have switched from paper records to electronic records. However, the security of digital health data has not kept up with its growth.
Cybersecurity refers to the protection of cyberspace and related technologies, from records and electronic data to the physical structures of security systems. To ensure patients and their data are safe is a huge issue for many organizations, as cybersecurity is only as good as the weakest link in a particular system or network.
The WannaCry ransomware attack in May 2017 has been a wakeup call for healthcare organizations around the globe as to what needs to be done regarding cybersecurity. Ransomware is malicious software that disables systems or encrypts data, critical system files and applications. Organizations have to pay ransomware demands in order to retrieve critical data encrypted or stolen by malware.
Besides malware, some of the main cyber threats to the health care industry are:
- insider threats (employees or 3rd parties that intentionally or unintentionally damage or destroy a system or steal data).
- access control breaches (physical theft) (manipulating or bypassing control systems or procedures to gain unauthorized physical access to information)
- network breaches (outside actors gain unauthorized access and manipulate legitimate programs or install malicious ones)
What could medical facilities do to keep up with cybersecurity?
Many changes that focus on the personnel's habits and areas that are prone to risk can be simple to implement, such as having staff change their passwords frequently and setting up computers so they log users out after a certain period of time automatically. It's also critical to raise awareness that visiting websites on workplace computers and opening email attachments or following unsolicited web links in emails can create a significant risk for data breaches.
Other basic levels of protection are:
- identification and authentication (e.g., user ID & password).
- security patch management (updating software to reduce the risk of compromise to applications, systems, and computers as a result of system flaws).
- use of software with a current license (software out of license isn’t receiving security updates).
- avoiding cheaper versions of SaaS (Software as a Service, e.g., SharePoint, QuickBooks)
- firewalls (first line of defense against unwanted network intrusions, protecting a system from malicious actors).
- packet filtering (limits the flow of information based on rules created by the systems administrator).
- circuit-level gateway (protects the security of the private network by preventing exposure of protected information).
- proxy servers (an intermediary between a user and the internet that ensures security).
- application gateway (when a client program establishes a connection to a destination service, it connects to an application gateway).
- encryption (ensures computers are not accessed by anyone other than a specific authorized user).
By conducting a HIPAA and cyber-risk assessment, health care organizations can uncover potential weaknesses in their security processes and systems.
Contact our HIM experts with AHIMA credentials and 30+ years experience to identify your vulnerabilities to minimize your risk of a cybersecurity attack. https://www.primeauconsultinggroup.com/contact-us1.html