• COVID-19
  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • Artificial Intelligence
    • Blockchain
    • Mobile Health
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage

5 Basic Steps for Hospitals to Improve Their Data Security

by D'Arcy Gue, Director of Industry Relations at Medsphere Systems Corporation 04/18/2017 Leave a Comment

Security Data Breaches

If you’re a small healthcare IT operation, a simple spreadsheet might do the trick. If you’re larger, a not-so-simple spreadsheet might be in order.

Regardless of how you do it, hospitals, clinics and other healthcare organizations must identify and monitor every single instance of computer network access. They’re called endpoints, says Larry Ponemon, founder of the security consulting firm the Ponemon Institute, and for you they exist as vulnerabilities.

Your job is to eliminate them through a series of basic security-promoting tasks.

While your IT security staff may have conducted such work in the past related to HIPAA, “in the past” is never recent enough for a robust security program in the hyper-changing technology world, especially if the work was incomplete or conducted over a year ago. In too many hospitals, security protections have been a one-shot effort conducted years ago with little follow-up. Your hospital may need to undertake the following actions from a blank slate perspective in order to combat today’s sophisticated threats.

1. Identify every device on the network.

We’re not talking about just desktops and laptops, here. Think more broadly and identify everything that has a network connection—desktops, laptops, tablets, mobile phones, IoT devices, etc.  You may have also permitted network access for clinicians and staff using their own devices, so take the time to identify those users as well.

2. Update your software.

After figuring out how many networked devices you have, make sure the security applications on each, which includes operating systems, are up to date.

“One of the main reasons hospitals have become ground zero for ransomware attacks is that almost every modern medical device is now a computer,” writes Phillip Hallam-Baker, vice president and principal scientist for cybersecurity firm Comodo, in Health Data Management. “It is not uncommon to find a multi-million dollar device such as an MRI machine running Windows XP Embedded, an operating system version that was last updated when it was retired in 2011.”

Hallam-Baker adds that defeating malware, particularly ransomware, requires a three-pronged approach:

– Scan inbound email for infected attachments and links to malware sites that automatically download to your computer.

– Block access to malware sites.
– Run anti-virus software on every computer in use.

3. Spread the security gospel.

Now, it’s time for the social engineering. According to respondents in a Ponemon Institute study on networks and cybercrime, 81 percent feel the greatest threat to security is negligent and careless employees who don’t follow established policies and practices. This issue has been complicated in recent years by threats from insecure mobile devices. Train every employee in proper security practices, and reinforce them frequently.

4. Secure the patient portal.

At some point, turn your attention to the patient portal you installed to meet Meaningful Use. Keith Fricke, the principal consultant at tw-Security, wants you to know that it could create vulnerabilities. Imagine, for example, hostile code that lives on a popular website and downloads to a patient’s home computer. Later visits by that patient to an insecure hospital patient portal might provide a hacker with access to numerous patient records and the opportunity to pass along a virus, hitting your organization with a double whammy.

5. Cover your business associate bases.

In recent years, according to Ponemon, business associates (BAs) have endured even more data security incidents than healthcare providers.  A major reason is that HIPAA-required BA agreements, once signed, tend to sit on the shelves of all parties. Your partners, including IT vendors, may feel much less urgency about patient data security than you do. Make sure their lack of urgency does not impact your security by taking these steps:

– Evaluate your entire list of vendors and similar partners to determine which have access to protected health information (PHI). Perhaps some BA agreements were never signed, which puts your organization at great risk.

 
– Review all of your BA agreement files. Those dated prior to 2013 are obsolete, which adds to your hospital’s security vulnerability. The 2013 Omnibus HIPAA regulations are much stricter with business associates than the original HIPAA security rules, so it is critical to your security program that all BA partners sign an updated agreement.
 
– Insist on compliance with the newer rules as a condition of your continued relationship. Double check your BA’s level of security and ask to see its most recent security risk assessment, one of its many obligations under HIPAA.

Taking these actions will greatly improve your organization’s security position and give you much, if not all, the information you need to perform your own HIPAA-required security risk assessment.

A final note on the costs of data security

Many organizations are ill-prepared for the growing onslaught of security incidents, not because they don’t care, but because of inadequate funding and security expertise. High expenditures for recent initiatives such as Meaningful Use and ICD-10 implementation have not helped. Moving forward, senior management must view data security as a cost of doing business, just as it is with financial services and retail. You will have to spend money on security regularly to make it work. As technologies change and security risks increase, a sustainable security program must include regular updates and different and/or additional spending.

In 2017, the security race between hackers and healthcare is going stronger than ever, but it’s not too late to secure your organization’s network if you move quickly and deliberately. 

D’Arcy Gue is Director of Industry Relations for Medsphere Systems Corporation.

[ultimatesocial networks="facebook,twitter,google,linkedin,mail" url="" custom_class="us-posts-bottom" align="left" count="false"]

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

« American Diabetes Association Recognizes One Drop’s Diabetes Education and Coaching Program
Healthbox Launches Horizon Scan Platform to Help Healthcare Organizations Evaluate Digital Health Solutions »

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Recent Articles

  • CVS Health Launches Senior Medical Alert System, Symphony

    CVS Health Launches Senior Medical Alert System, Symphony

    ... more
  • Amalgam Rx Acquires Clinical Decision Support Platform Avhana Health

    Amalgam Rx Acquires Clinical Decision Support Platform Avhana Health – M&A

    ... more
  • 20 COVID-19 Predictions and Trends for 2021 - Executive Roundup

    MEDITECH Launches Quick Vaccination Solution to Streamline COVID-19 Vaccination Process

    ... more
  • Heritage Group

    Healthcare PE Firm Heritage Group Launches $300M Health Tech Fund

    ... more

Most Read

  • 30 Executives Share Top Healthcare Predictions & Trends to Watch in 2021 30 Executives Share Top Healthcare Predictions & Trends to Watch in 2021
  • 20 COVID-19 Predictions and Trends for 2021 - Executive Roundup 20 COVID-19 Predictions and Trends for 2021 – Executive Roundup
  • Heritage Group Healthcare PE Firm Heritage Group Launches $300M Health Tech Fund
  • 16 COVID-19 Predictions and Trends for 2021 Executive Roundup 12-Available-COVID-19-Vaccine-Management-Solutions-to-Know-In-Depth-1 17 Recently Launched COVID-19 Vaccine Management Solutions to Know
  • FDA Approves COVID-19 Oral Fluid Test for Use Nationwide In-Depth: 32 FDA-Approved COVID-19 Testing Kits
  • CVS Health Launches Senior Medical Alert System, Symphony CVS Health Launches Senior Medical Alert System, Symphony
  • Provider Strategies for Mitigating Telehealth Fraud & Abuse in 2021 Provider Strategies for Mitigating Telehealth Fraud & Abuse in 2021
  • 5G in Healthcare: 7 Advantages & Disadvantages for Providers to Know 5G in Healthcare: 7 Advantages & Disadvantages for Providers to Know
  • Healthcare Breach Report 2016 6 Ways Health Informatics Is Transforming Health Care
  • Fundamental Surgery Becomes First VR Surgical Training Simulation to Gain CPD Accreditation 18 Healthcare Augmented Reality and Virtual Reality Companies to Watch

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • 2020 Editorial Calendar
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2021. HIT Consultant Media. All Rights Reserved. Privacy Policy |