As frequent targets of data breaches and handlers of highly sensitive and valuable data known by various terms such as protected health information (PHI) and electronic health records (EHR), healthcare organizations are in dire need of cybersecurity guidelines. This is highlighted by cybersecurity budget constraints and strict state and federal regulations such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA), which if violated, can lead to massive fines. Besides regulatory fines, breaches can lead to expensive investigations, lawsuits, and patient flight in response to damaged reputation.
Healthcare information is a favorite among hackers for a number of reasons. One: It sells for a hefty price on underground markets. Two: It can also easily be used to carry out identity theft. And three: Fraudsters can use it to pose as healthcare insurance policyholders and avail of medical services illegally.
In spite of the urgency, many struggle to find the necessary funds to devote to cybersecurity. The U.S Department of Health and Human Services’ Office of Civil Rights (OCR) has stepped in to provide basic and cost-effective cybersecurity safeguards for these organizations.,with a small financial investment. We’ve summarized those recommendations for you.
Data encryption
Encryption is a requirement of HIPAA for good reason. With all the cybersecurity options out there, encryption is still one of the most effective safeguards of data’s confidentiality, integrity, and availability. This is because encryption turns data into unintelligible character strings. Data in backups, as well as data being transmitted, can be encrypted so that even if it is stolen from storage or intercepted during transit, it remains indecipherable to anyone without a decryption key.
Social engineering awareness
Phishing, a type of cybercrime that takes advantage of a target’s ignorance and recklessness, is the top cause of healthcare data breaches. For those who may have been living under a rock, phishing is an attempt to trick someone into clicking on malicious links or attachments found in emails, which lead to websites that ask for personal information, such as login credentials. They often appear from trusted sources such as a co-worker, friend, or boss. It is the most common way that hackers steal PHI.
Regular security awareness training for employees can greatly reduce susceptibility to phishing. It’s also a requirement of the HIPAA Security Rule. HIPAA compliance education and phishing simulations are among the most cost-effective security awareness training options. With training, your staff becomes your best line of defense, as they learn to readily spot phishing emails, malicious links, keywords, and other phishing characteristics.
Two other low-cost indispensable solutions against phishing are strong password policies and multifactor authentication. According to the 2017 Verizon Data Breach Report, weak or stolen passwords were responsible for 80 percent of email hacking. It is also recommended that small healthcare organizations secure the email infrastructure built by third-party providers to avail of their provider’s configuration components and capabilities.
Audit logs
A requirement of HIPAA, audit logs contain records of events of specific IT systems, devices, and software of the organization. Reviewing audit logs regularly will warn security teams of attempts to gain unauthorized access and therefore prevent data breaches in advance. They are also useful for analyzing and gleaning lessons from past data breaches.
Correct configuration of software and network devices
Any misconfigured security controls on network devices, software, and cloud-based solutions can be exploited by hackers as entry points to your network. Deactivated firewalls, outdated software, missed patches, and misconfigured S3 buckets can lead to data breaches. In short, all systems, software, and devices should be updated and correctly configured, as well as be subject to regular security checks.
HHS top cybersecurity practices
For more cybersecurity best practices, check out the two technical volumes provided by the US Department of Health and Human Services. These reports feature practices that are tailored to different organization sizes and mitigate the top healthcare cybersecurity risks.
Given the nature and vulnerability of healthcare data, you need more than a typical cybersecurity provider. Your firm needs experts that know how to keep data safe, secure, and private. Contact us today at NetQuest and we’ll help you implement effective and affordable data security measures for your organization.
Like This Article?
Sign up below and once a month we'll send you a roundup of our most popular posts
