Healthcare Cybersecurity: Essential Practices for Protection

In October 2021, a Japanese hospital was forced to shut down operations for months. Malicious actors encrypted medical data of 85,000 patients and threatened to leak it unless ransom was paid. This is not an isolated incident – businesses depend on the cloud to accelerate workflow but don’t secure it unless an incident occurs. Cybercriminals always look for an opportunity to exploit it – but won’t succeed unless you have healthcare cyber security. 

We will take a look at what healthcare cyber security is, its importance, and how to implement it. 

What is healthcare cyber security?

Healthcare cybersecurity is the practice of protecting sensitive patient data from unauthorized use or accidental disclosure. It aims to protect the integrity, confidentiality, and availability of data through administrative, physical, and technical measures. 

Why is cyber security so important in the healthcare sector?

Cybersecurity in healthcare protects medical equipment, system data, and sensitive patient records from unauthorized access and malicious actors to ensure business continuity and protect patient privacy. Despite being a highly regulated industry, healthcare is one of the top recipients of cyber attacks. 

A report compiled by IBM that surveyed major industries found that for 12 consecutive years, the healthcare industry suffered the highest average cost per incident. As the number of incidents continue to grow every year, so does the cost to contain it. 

Like most industries, data is part of the critical infrastructure in healthcare. This, combined with poor security practices, weak infrastructure, lack of training, an urgency to continue business operations, and the pandemic contribute to this statistic.

Compromised healthcare data is a serious concern for two main reasons. First, it can halt care services – ransomware attacks often involve malicious actors preventing healthcare professionals from accessing it. Second, if the stolen data is tampered with, it may result in wrong treatment – a quick way to end up with a costly lawsuit. 

Due to the sensitive nature of information in healthcare, practices are obligated to follow regulations such as HIPAA. Violation results in hefty penalties ranging from $100 to $100,000. 

Healthcare Cyber security best practices

Healthcare services (much like any other service providers) don’t prioritize cyber security until they land in a thick soup called with virus as the main ingredient. So here are a few steps to stay on the safer side of things. 

1. Limit physical access

Physical safeguards of HIPAA require practices to secure the devices on which ePHI is stored or processed. Device loss through theft or misplacement is a significant factor that contributes to compromised data. Data compromise through device loss can occur even if it is secured through passwords or other technical means. The solution is to restrict physical access to the device using policies that secure it. 

Physical access checklist:

• Develop policies that describe physical safety and device security
• Employees should understand and contractually agree to follow policies and process related to device access
• Maintain an inventory for all devices that contain PHI
• Protect computers from environmental hazards like fire, water, earthquake, hurricane, etcetera 
• Restrict physical access to devices to authorized individuals only
• Restrict access to computers containing Electronic Health Record (EHR) from unauthorized viewing
• Secure equipment located in high-traffic or low-security areas from physical access

2. Limit network access

Small practices often use wireless routing systems that can cater to multiple computers. Router signals can be picked up by unauthorized individuals unless secured through encryption. Avoid sharing network access to devices used by visitors and allow only devices used by the practice to access it. 

Network access checklist:

• Applications used by practice staff to share files, images, send messages should be reviewed before installing
• Staff members should understand, agree and comply with network policy 
• Develop policies and procedures describing network configuration and access
• Restrict network access only to authorized users, devices, and applications
• Prohibit guest or visitor devices from accessing networks that contain PHI
• Encrypt wireless networks
• Avoid using public instant messaging systems and secure private messaging systems 

3. Password management

Passwords are the first line of defense against unauthorized access. Although strong passwords do not guarantee complete protection against intrusion attempts, it can slow them down by rendering the file inaccessible after multiple attempts or notifying security administrators on a possible breach. 

Good password protection practices include using words that do not appear in the dictionary or contain personal information like date of birth, pet name, security number, etc. 

Additionally, it should contain at least eight characters, one number, one uppercase and one lowercase character, and one special character. 

Use multi-factor authentication techniques like combining a password with another factor such as a smartcard, key tokens, or fingerprints. 

Password checklist:

• Allocate a unique username and password to each worker
• Staff members should not write down or display passwords on screen 
• Use passwords that are not easy to guess but easy to remember
• Change passwords regularly and do not use previously used passwords. You can use a system with auto password resetting capabilities. 
• Change system default passwords during installation
• If a device offers an option to use password, turn it on and use it

Check out: List of HIPAA identifiers

4. Access control 

Role based access works on the principle of least privilege – a process that allows each member to access the minimum of data required for their function. For many practices, this is a manual process. If that is the case for your practice, figure who should access what before setting it up. 

An efficient access control system should be equipped with audit log capabilities that allows administrators to view who viewed or updated what and when. 

Access control checklist:

• Develop and implement policies prescribing access controls
• Every user account should be linked to an authorized individual
• Set up file or application access in a way that allows authorized users to access only what is required 
• All files containing PHI should be restricted to be accessible to authorized users
• Computers or other devices containing PHI should be used for other purposes 

5. Prepare for the worst

Even the strongest security infrastructure can be broken into by cybercriminals. Malicious actors are increasingly using advanced technologies to break security barriers. There are two strategies to tackle disasters – through regular backups and a solid recovery plan. 

Small practices often don’t back up their data until disaster strikes. An effective backup plan should correctly capture all data to be reliable during emergencies. It should be easily restorable and its ability to quickly restore should be tested. 

Store the medium storing the backup safely using the physical access and natural disaster controls as discussed in the physical access. 

Use a backup system that offers the same level of security as the original. Test the backup capabilities of reusable backup media like hard drives and magnetic taper as these wear out over time. 

Use an automated system for the backup process as manual efforts are prone to error and time-consuming. 

Develop a process that clearly describes an action plan if an incident occurs. During an emergency, the medical staff should be able to access the backed-up data and restore critical care functions. 

Backup and recovery checklist:

• Share the system restoration plan with a trusted third-party entity outside the organization
• Store a duplicate of the recovery plan safely off-site
• Document critical files in the backup configuration
• Schedule backup process regularly to ensure all data is up to date
• Implement physical access controls to secure backup
• Use data destruction processes like erasure, overwriting, or shredding to render it unreadable before disposal
• Encrypt all media stored in off-site locations
• Use multiple backup systems to failproof the recovery process 

Also, check out: HIPAA compliance checklist

6. Use anti-malware software

Anti-malware solutions block intrusion attempts by identifying the code pattern known to exploit. As new threats using unknown signatures release every day, system encounters with such threats result in failure to identify and quarantine them. 

The development team of the solution constantly releases updates to add new threats to the detection capabilities. Keep your solution updated with the latest version to allow it to perform at its maximum potential. If the solution offers an auto update option, turn it on or set up the system to notify for updates. 

Some common indications of an infected computer include blue screen of death (BSOD), multiple system crashes, ad popups, and browser opens scammy pages. Additionally, the mouse and antivirus may stop working. 

Anti-malware checklist:

• Facility employees should familiarize themselves with the symptoms of an infected device
• Install the antimalware tool on all devices containing ePHI with manufacturers suggested settings
• Set the anti malware system to automatically update 
• Install the antimalware tool in mobile or other handheld devices that supports it 

7. Install a firewall

“Prevention is better than cure.” In cybersecurity, the first step to threat management is blocking or building a wall between your data and the intruders. While antivirus solutions compare to damage control post infection, firewalls prevent the infection from entering in the first place. Firewalls analyze incoming traffic and triage based on a set of predefined rules. 

Firewalls can be of two types – software or hardware. 

Some software firewalls are pre-built into operating systems and some are sold by security vendors like anti-malware product sellers. 

Hardware firewalls are difficult to configure without technical expertise. If your practice uses a local area network (LAN), a hardware firewall is the right choice as it offers centralized management that strengthens the LAN security. 

Firewall best practices:

• Develop policies that describes how to configure, use, and operate firewalls and firewall logs
• Protect all computers using a properly configured firewall

8. Follow good security practices

Good security practices include people, tools, and procedures. The people factor cannot be ignored, as most studies conducted on insider threats conclude that internal attacks make up a significant portion of all threats. The number ranges somewhere between 30% to 60%, depending on date, organizations surveyed, type of business, and more. 

Negligent workers, malicious insiders, inside agents, disgruntled employees, and third parties are examples of types of insider threats. 61% of these attacks are unintentional, caused due to lack of awareness or negligence. Unwillingness to learn and common misconceptions like “it can’t happen to me” are some challenges to good security practices. 

It is important to understand that checklists are useful only as long as employees share a sense of responsibility and practice them.

Security good practice checklist:

• Regularly train, educate, and test employees 
• Workers who manage and direct employees should not practice favoritism and set a good example
• Values like accountability and responsibility should be part of the organization’s core values

Also, read what HIPAA talks about security rule

9. Protect endpoint handheld devices

Organizational data is scattered across endpoint devices like smartphones, tablets, and laptops. While these significantly reduce IT complexity, it opens up a range of vulnerabilities, waiting to be exploited. 

Endpoint devices are prone to loss and theft due to their mobility. It is likely to be exposed to electromagnetic interference from other devices which can corrupt the data stored inside. 

Strong authentication, access controls, end to end encryption and passwords are some ways to protect handheld device data from unauthorized use. Do not connect handheld devices that transmit electronic health data to public networks. 

Endpoint handheld devices checklist:

• Configure endpoint handheld devices to prevent unauthorized access
• Encrypt PHI transmitted over handheld devices
• Encrypt connections between authorized devices and PHI

10. Follow good computer habits

Large infrastructures encompassing the cloud, endpoint devices, and storage facilities invariably have security blind spots. As sensitive health data flows through these systems, configuring and maintaining is crucial for optimum performance. New software packages offer an array of confusing options during the initial setup.

Best practices to boost in-built security capabilities are: 

• Uninstall unnecessary packages like games or miscellaneous tools
• Instead of accepting standard configurations, understand what each means using technical help if needed
• If your EHR vendor provides an open connection for support and update, secure this connection and request to disable this access when not used
• Remote operations like file sharing and printing within the operating system configuration can allow unauthorized access, so disable these options

11. Manage operation system

Most software vendors roll out updates to fix vulnerabilities. Patching prevents the chances of unknown threats entering your system. Small practices that lack the resources to manually update them can set up the system to automatically install critical security patches on a weekly or daily basis. System configurations and user data become outdated with time.

Follow an operation system maintenance checklist: 

• Revoke user access of former employees. If an employee is involuntarily terminated, revoke access while they are serving a notice period
• Before disposing of any device containing EHR, delete all data following NIST 800-88 guidelines
• Archive old data files if the information is needed and remove it from the system if not required

Recommended: A Detailed Guide to HIPAA compliance

Security challenges in healthcare

Despite technological innovation and increased security concerns from legal authorities, healthcare facilities struggle with these common challenges: 

1. Security threats like malware, virus, ransomware, phishing, and more from malicious actors
2. Security threats like unintentional data damage or intentional privilege misuse from employees
3. Lack of skilled cybersecurity professionals to bridge the gap that technology and AI cannot fulfill 
4. Tedious compliance process that requires practices to certify new systems or products
5. Human barriers to improve security posture like little or no enthusiasm to learn about security good practices and undergo training.
6. Inadequate knowledge on good security practices and compliance requirements

Conclusion

If you provide a healthcare service, following good security practices is not optional. Health record leakage will inevitably land you in legal trouble – we are talking jail time or costly lawsuits. 

Fortunately, there is a way to implement all the best practices we discussed with zero manual effort. Sprinto, an end-to-end tool integrates with your system to put the compliance program on automation. It monitors the system for failing checks, notifies the right person for non-compliance, trains your employees, enables granular access control, and much more. 

Don’t wait up, connect with our experts today and learn how we boost your security game!

FAQ

Who is in charge of cybersecurity in healthcare?

The Health Sector Cybersecurity Coordination Center (HC3) leads the charge for the U.S. Department of Health and Human Services (HHS) to protect, coordinate, and share cybersecurity information to the Healthcare and Public Health (HPH) sector.

Why do hackers target healthcare?

Hackers target healthcare because healthcare data is highly valuable on the black market. Practices are likely to succumb to ransom demands due to the urgency to continue business due to its impact on patient health.