Best Practices to Prevent Cybersecurity Threats in Healthcare

The healthcare industry is troubled by a lot of cybersecurity-related issues. These issues range from e-mail phishing attacks to attacks against connected medical devices. In healthcare, cyber attacks can have serious consequences beyond financial loss and breach of privacy. When implementing security measures or when partnering with medical data entry firms, healthcare organizations have to be very cautious. A dedicated data entry company that assists physicians in streamlining their operations and rendering better patient care will have the best security safeguards in place.

The Department of Health and Human Services (HHS), in collaboration with the Health Sector Coordinating Council (HSSC), has published “Health Industry Cybersecurity Practices (HICP): Managing Threats and Protecting Patients,” a valuable publication that outlines ways to minimize cybersecurity threats. Here are the recommendations.

How to Address E-mail Phishing Attacks

Health care organizations should adopt the following practices to protect against e-mail phishing attacks:

• Always be suspicious of e-mails from unknown senders, especially e-mails that request sensitive information, such as protected health information (PHI) or personally identifiable information (PII); or e-mails that include a call to action that stresses urgency or importance.
• Provide training to staff to recognize suspicious e-mails, know where to forward them, and never open e-mail attachments from unknown senders.
  In addition, it is necessary to implement the following:
  • Incident response plays to manage successful phishing attacks
  • Advanced technologies for detecting and testing e-mails for malicious content or links
  • Multifactor authentication
  • Proven and tested response procedures when employees click on phishing e-mails.
• Share cyber threat information with other health care organizations.

How to Address Ransomware Attack

• Make sure that users understand authorized patching procedures, and patch software according to authorized procedures.
• Specify which computers may access and store confidential or patient data.
• Try to use strong or unique usernames and passwords with multifactor authentication.
• Restrict users who can log in from remote desktops and the rate of allowed authentication attempts to thwart brute-force attacks.
• Use anti-malware detection and remediation tools.
• Set apart critical or vulnerable systems from threats.
• Retain a complete and updated inventory of assets.
• Execute a proven and tested data backup and restoration test, and proven and tested incident response procedures.
• Share cyber threat information with other health care organizations.

How to Address Loss or Theft of Equipment or Data?

• Encrypt confidential data, especially when transmitting data to other devices or organizations. It is also recommended to encrypt data at rest on mobile devices to be inaccessible to anyone who finds the device.
• Execute proven and tested data backups, with proven and tested restoration of data, and implement a safeguards policy for mobile devices supplemented with ongoing user awareness training on securing these devices.
• Obtain and use data loss prevention tools.
• Immediately report loss or theft to designated company individuals to terminate access to the device or network.
• Retain a complete, accurate, and current asset inventory to reduce threats, especially the loss and theft of mobile devices, such as laptops and USB/thumb drives.
• Clean sensitive data from every device before it is retired, refurbished, or resold and for that define a process with clear accountabilities.

How to Address Insider, Accidental or Intentional Data Loss

• Staff and IT users should be trained on data access and financial control procedures to reduce social engineering or procedural errors.
• In addition, it is necessary to implement and use the following:
  Workforce access auditing of health record systems and confidential data
• Privileged access management tools to report access to critical technology infrastructure and systems
• Data loss prevention tools to detect and block leakage of PHI and PII through e-mail and web upload.

How to Address Attacks against Connected Medical Devices

• Set up and maintain communication with the product security teams of the manufacturer of connected medical devices.
• After patches have been validated, distributed by the medical device manufacturer, and properly tested, patch devices.
• Check current security controls on networked medical devices and inventory traits such as IT components that may include the Media Access Control (MAC) address, Internet Protocol (IP) address, network segments, operating systems, applications, and other elements relevant to managing information security risks.
• In addition, it is necessary to implement the following:
  • Pre-procurement security requirements for vendors
  • Information security assurance practices, such as security risk assessments of new devices and validation of vendor practices on networks or facilities
  • Access controls for clinical and vendor support staff, including remote access, monitoring of vendor access, multifactor authentication, and minimum necessary or least privilege; and
  • Security operations practices for devices, including hardening, patching, monitoring, and threat detection capabilities.
• Include information security as a stakeholder in clinical procurements
• Utilize a template for contract language with medical device manufacturers and others
• Execute network security applications and practices for device networks

Following these practices can help not only healthcare entities but also data entry companies to mitigate some of the most current cybersecurity threats.