Information Security Basics for Healthcare
Healthcare organizations present inherent challenges when it comes to security - take thousands of user devices accessing patient data, double the average amount of application logons, then add in a bevy of networked medical devices that rely on outdated operating systems, and you have a rather complex mess to deal with, from an administrator’s perspective.
There are, however, some technical security basics that healthcare organizations can employ in order to reduce the risk of introducing vulnerabilities, malware (including ransomware) and new threats to their patient data environments. Here’s just a few to get the conversation started:
Access Control
Reduce the risk to electronic protected health information (ePHI) by configuring electronic healthcare record systems (EHRs) to grant access to a limited group of people that need access to complete their jobs, and terminate access after employees leave the organization.
Inventory and identify ePHI on your systems and manually set access permissions to certain applications by creating an authentication policy for a designated user group.
Role-based access control determines who can access what - a nurse may not have to access the same data as a billing specialist to do their job. Limiting access can reduce your attack vector; the less access to patient data, the fewer accounts that can be compromised.
Another aspect of access controls is the use of strong passwords, password managers, and two-factor authentication for an additional layer of security to your accounts. That way, even if a malicious hacker steals your password, they’ll be blocked from accessing your account without physically possessing your authentication device (a smartphone or USB device).
Maintain Endpoint Security
All devices - including mobile, tablets, PCs and laptops managed or not by your IT dept. - need to be kept up to date, with the minimum security features enabled.
Create an access security policy that automatically checks your endpoints for jailbroken/rooted status, screen lock, passcodes, Touch ID and/or full disk encryption before allowing the device to access your healthcare apps.
Block any device that doesn’t meet your minimum security standards. This can reduce the risk of connecting with a rogue device that is may be susceptible to malware or vulnerabilities.
Operating System & Server Maintenance
Uninstall any software application that’s not essential to running the practice. Check to see if this software is critical to your EHR’s functions. If not, remove it to reduce your attack vector.
Keep operating systems up to date, and use an endpoint visibility solution to get insight into devices connecting to your network and apps with patient data. Those unmanaged, employee-owned devices can bring a point of weakness to your systems if they are running outdated OSs. Notify any users running outdated OSs on their devices to update, and warn/block them until they do.
Patching servers is important too - there have been recent reports of a new type of ransomware that gets installed after attackers exploit unpatched server vulnerabilities, targeting hospitals.
Sometimes it not as simple as updating right away. Part of the reason why hospitals can’t always update to the latest version of OS is due to their complex IT infrastructure, and specific applications that may rely on outdated (and unsupported) software to run.
Software Maintenance
It’s critical to keep all software up to date and apply patches on a timely basis, as security updates can address new vulnerabilities in the software.
Outside of automatic and weekly updates, monitor for critical and emergency vendor software updates that must be applied immediately. Recently, Adobe released an emergency patch for nearly two dozen Flash vulnerabilities, including one being actively exploited in the wild.
With a large healthcare organization, it’s not easy to stay on top of the latest versions of everything. Invest in a logging and reporting system that tracks and monitors your endpoint versions, and shows you when a security event occurs, such as a new version release.
Backups and Business Continuity
Regular and automated offsite backups of your data should be maintained and secured in the case of an emergency. Maintain secure backups in the cloud, separate from your local/main system.
In the case of ransomware or other malware, keeping backups physically disconnected from your local system can ensure the data can’t be encrypted, deleted or stolen by the same malware attacking your main systems.
Business continuity is the ability of your practice to establish and follow a clear procedure, with designated roles and responsibilities in the event of an emergency. After an emergency, healthcare administrators need to know how to access backups to produce information and medical records quickly.
For even more tips, check out HealthIt.gov’s top 10 tips for cybersecurity in healthcare (PDF).