5 Cybersecurity Recommendations to Protect Patient Privacy

With electronic health record (EHR) investments not consuming as much of a healthcare provider’s budget, leaders have an opportunity to take additional steps in their digital transformation journey to protect their patients and their organizations. There is no denying the need and importance for the adoption of sophisticated cybersecurity measures. According to a 2019 CIO survey, 83% of healthcare CIOs are increasing spending on cybersecurity¹. This is encouraging because healthcare organizations tend to spend only half as much on cybersecurity as other industries, yet healthcare led all other industries in cybersecurity breaches in 2018².

With so many different areas to focus on, it can be challenging to know where to start. Here are 5 ways healthcare organizations can better protect patient privacy.

1. Migrate to a cloud-based fax solution. Paper fax machines store personal health information (PHI) unencrypted. Essentially, the problem is interoperability and the secure transfer of patient records. The physical machines caching those files local to the connected device are vulnerable to attacks. Mining the data contained in those faxed records is another problem. There are more secure solutions like cloud-based faxing for accessing and exchanging patient information across healthcare organizations, including regional/state healthcare information exchange (HIE) and interoperability capabilities available from different EHR vendors. Fax machines are just one endpoint to start with—all IoT-connected and medical devices should be a part of your larger endpoint protection plan.
2. Comprehensive business continuity/disaster recovery plans. Healthcare organization’s networks and operations can be greatly impacted or even shut down due to disasters of any kind, including cyber attacks. Having a thorough plan that identifies the IT systems, processes and potential risks will help to create a more efficient recovery should disaster strike. Some considerations include ensuring data is properly backed up, communications remain intact and access and compliance is maintained. These plans are vital for protecting your patients in the event of an attack. If healthcare providers are unable to recover patient data following a ransomware attack, patients ultimately cannot be treated.

3. Security assessments. The number of threats and various methods to access an organization’s network today are growing. Getting assistance from third-party security experts can accelerate your cybersecurity defense and also help uncover any vulnerabilities in your network. These vendors can provide services for internal and external penetration testing, vulnerability assessments, social engineering and phishing exercises—all critical elements to solidifying a solid security strategy.
4. Seek a DDoS prevention and mitigation partner. IDC Research’s recent survey reports that more than 50% of IT security decision makers said that their organization had been the victim of a distributed denial-of-service (DDoS) attack as many as 10 times in the past year. The attacks surfacing for healthcare providers are broad, including their website, devices and applications. Since health records are now digitized for the majority of providers in the U.S., they are dependent on technology to provide patient care. Bad actors can also use DDoS attacks to distract from data breach activities which puts patients at risk of having their valuable PHI stolen. Using a managed DDoS protection service can provide access to expert analysts and advanced technology to avoid costly downtime and interruptions to patient care.
5. Security training, best practices and awareness. To defend against social engineering and phishing email cyberattacks, your employees need to be reminded of security best practices and risks. According to the State of the Industry report, 86% of C-Suite executives admit that employee negligence is one of their biggest information security risks. Hackers are getting better and better at disguising emails and making them look authentic. Educating employees to recognize these well-disguised ploys should be a part of your defensive strategy. Additionally, tailgating, or following someone into an organization after the door is held open, can also expose your organization to costly security breaches. Encourage employees to ask to see a company badge and ID before permitting access to your facility. This should be a standard part of your data loss prevention policies. Continually training on security best practices and awareness will help to reduce incidents of employee negligence.

Establishing a proactive defense
The healthcare industry faces an increasingly complex security climate and stricter standards for compliance. Taking proactive measures and seeking assistance from qualified network security providers with expertise in healthcare IT will help to ensure your organization is properly prepared for anything.

¹ https://hitinfrastructure.com/news/aligning-health-it-with-business-goals-is-top-cio-challenge
² https://www.healthcaredive.com/news/healthcare-again-tops-industries-for-cybersecurity-attacks-data-
breaches/552403/