Page 13 - Delaware Medical Journal - November 2017
P. 13
CYBERSECURITY
they did not have a user account or their
do their jobs.
These practices are in clear violation of health care cybersecurity regulations, which require unique credentials for each EHR user. They also render passwords useless as a security mechanism and make it virtually impossible to trace the source of a data breach.
Medical staff frequently engage in other practices that threaten the security of PHI. For example, doctors have been known to copy medical records to that lack adequate data protection and access controls. In July 2016, Oregon Health & Science University agreed to
a $2.7 million settlement for widespread HIPAA violations, including the copying of PHI to a cloud-based server without appropriate agreements and protections in place.
Clearly, health care cybersecurity begins with staff education and strict policies and procedures around data protection. Regular training can help to reduce the “insider threats” that are the source of the majority of security breaches. While malicious insiders do steal information with the intent to cause harm, many such threats are caused by innocent users who bypass security policies to make their jobs easier.
However, policies are of limited value without monitoring and enforcement. Health care organizations should restrict access to sensitive information and perform authentication and authorization based upon user identities and roles. Multifactor authentication, which requires a token, PIN or biometric factor as well as password,
can dramatically boost user account security. Nevertheless, user access should be logged and analyzed for patterns of behavior that might
suggest compromised credentials, noncompliance with policies, or access to resources beyond the scope of the user’s role.
DEVELOPING A PLAN
Authentication, authorization, and user identity management have become the foundation of modern cybersecurity. In this age of mobile devices and the cloud, the “network perimeter” is increasingly porous. Organizations should use and anti-malware solutions to keep hackers out, but also address threats that come from inside the network through stolen credentials or inappropriate
user activity.
Network-connected medical devices
are another increasing source of risk.
The Internet of Medical Things (IoMT) includes mobile health (mHealth) solutions that enable the remote monitoring of patients and access to
PHI via an Internet connection. Because many of these devices have weak security controls, hackers could use them to
steal PHI, launch a cyberattack, or gain
a backdoor into health care networks. Malware known as MEDJACK (short for “medical device hijack”) is designed to do just that.
Effective cybersecurity begins with
an assessment of the IT environment. Health care organizations need to understand their current security posture in order to identify weaknesses that could open the door to a data breach. The assessment should be
conducted from a risk management perspective — Where is the most sensitive data located? How is it accessed? The answers to these questions help organizations prioritize security efforts based upon the most
The controls required by HIPAA provide a good starting point for developing a cybersecurity strategy. HIPAA technical safeguards include access controls, transmission security, data integrity controls, and audit mechanisms. Organizations should keep in mind, however, that regulatory requirements represent a baseline of security, and
the results of the risk assessment may prescribe stronger controls.
Whatever the strategy, organizations should recognize that security is
not a “set and forget” proposition. Regular assessments and vulnerability scans should be conducted to address emerging threats and changes to the IT environment. In addition, organizations should implement an incident response plan to help them detect data breaches more rapidly and contain the potential damage.
As more and more medical data is stored electronically, the health care sector has come under siege by hackers seeking to steal valuable patient information. Health care organizations must implement the right security policies and systems to protect sensitive data and maintain their patients’ trust.
CONTRIBUTING AUTHOR
■ BOBBIE BROOKS is Marketing Director for SSD Technology Partners.
Del Med J | November 2017 | Vol. 89 | No. 11
333