• Skip to main content
  • Skip to secondary menu
  • Skip to primary sidebar
  • Skip to secondary sidebar
  • Skip to footer

  • Opinion
  • Health IT
    • Behavioral Health
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Patient Engagement
    • Population Health Management
    • Revenue Cycle Management
    • Social Determinants of Health
  • Digital Health
    • AI
    • Blockchain
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • M&A
  • Value-based Care
    • Accountable Care (ACOs)
    • Medicare Advantage
  • Life Sciences
  • Research

Healthcare Cyber Hygiene: 5 Best Practices to Protect Patient Data

by Saurabh Harit 02/19/2018 Leave a Comment

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Healthcare Cyber Hygiene: 5 Best Practices to Protect Patient Data _Cybercrime in Healthcare_Infographic: History of Security Data Breaches in Healthcare

Hospital-acquired infections and data breaches may have vastly different causes, but they have one thing in common—they put healthcare organizations and patients at risk. The “pathogens” which cause data breaches originate both externally and internally—but practicing healthcare cyber hygiene can reduce or eliminate their “infection.”

Patient data has high value—to others. According to Verizon’s 2017 Data Breach Investigations Report, healthcare has the second highest number of breaches after financial services. PHI (protected health information) and PII (personally identifiable information) such as Social Security number, healthcare ID number, address, date of birth, and payment data can be worth millions on the ‘dark web’. In their 2017 study, IBM Security and Ponemon Institute estimated the cost of one breached healthcare record at $380, the highest among US industries. An earlier Ponemon study estimated the total annual cost of data breaches in healthcare to be $6.2 billion.

Data breaches and cyberattacks designed to gain information or dump it on the ‘dark web’ put healthcare organizations at financial and operational risk. An external cyberattack or DDoS initiated through brute force, phishing, malware that steals legitimate access credentials, or Locky/Petya-type ransomware that closes down systems can limit patient care by shutting down EHRs, patient portals, and business processes such as billing and payments. Insider breaches due to theft, equipment loss, snooping, and errors may not be as obvious, but they historically have led in the number of breach incidents. They can compromise systems and go on for years–14, in the case of Tewksbury Hospital in Massachusetts.

The financial aftermath of a breach can cost millions more in investigations, settlements, remediation, restoration, and substantial fines. Anthem paid a record $115 million to settle lawsuits over the 2015 breach of 78 million records. The Office of Civil Rights-Health & Human Services (OCR-HHS), responsible for Federal privacy and security enforcement under HIPAA, has increased its activities, recently fining a Denver FQHC $400,000 for security noncompliance. Not securing data also means difficulty in meeting quality care and national performance standards in value-based care, such as the Quality Payment Program required by MACRA and the Medicare Shared Savings Program (MSSP) for ACOs.

Protect patient data through healthcare cyber hygiene. Just as clinicians work ceaselessly to prevent hospital-acquired infections, CISOs, CIOs and healthcare IT departments must dedicate themselves to cyber hygiene—a series of best practices for protecting sensitive data. No matter what type of healthcare or related organization you work in—a large research hospital, clinic, regional medical center, insurance company, or a provider of business or clinical/CRO services—the data you work with must be protected. The five best practices that follow are a start:

1. Train employees

Technical, administrative, and clinical staff are the first line of defense in everyday cyber hygiene. They must understand the importance of practices such as never sharing passwords; securing hardware from theft; avoiding the use of default passwords and system configurations; changing passwords regularly; patching systems to remain current; learning to spot suspicious emails, and not clicking on embedded email links or attachments. Continuing education not only should ensure that best practices are followed, but also as the threat landscape changes, content and approaches are adapted.

2. Encrypt data

Data should be encrypted, both in transit over the network or in email, and while stored, using Transport Layer Security (TLS) 1.2 or higher and AES 256 or higher. Data encryption protects against attackers who manage to breach other defenses and against man-in-the-middle attacks, in which a malicious actor intercepts communications to gain access to sensitive data.

3. Back up everything

Data backups are crucial to combat aggressive ransomware attacks. The only way to return systems and devices to normal after a successful ransomware attack is to restore from a clean backup. Back up business, medical, device, email and other data on a regular schedule, and keep backups in multiple physical locations.

4. Perform regular scanning of devices and applications

Healthcare organizations must regularly scan their networks, workstations, mobile devices, and applications against known vulnerabilities. Cyberattacks can enter through an organization’s network, wireless network, applications, devices and the physical environment itself. Unlike an enterprise into which only badged personnel or approved visitors can enter, anyone can walk into a hospital. Visitors can easily hear a conversation while standing in line, look over materials sitting out in the open, and secretively plug a USB device into a wheeled nurse’s cart or another accessible device. High risk also is associated with any unsecured text, chat and email messages that the organization sends patients on their mobile devices.

5. Conduct regular threat modeling and penetration testing

Threat modeling and penetration testing exercises describe current threats and reveal how attackers can target your organization. They identify systems that can be leveraged to exploit vulnerabilities and potential entry points into networks, applications, and devices. This practice, when regularly done, helps an organization effectively address and remediate existing weaknesses.

Healthcare cyber hygiene ensures that breaches may happen, but disasters don’t have to. No system is perfect, equipment may be stolen from the most secure facility, and ‘black hats’ are endlessly inventive, as the WannaCry and Petya/NotPetya ransomware attacks have proven worldwide. By implementing these practices and continually upgrading their IT systems to meet potential threats, healthcare and related organizations will significantly improve their security postures without compromising services for patients and their families—and benefit themselves financially.

Saurabh Harit is a managing security consultant at Spirent Communications’ SecurityLabs unit where he is responsible for delivering penetration testing services to Spirent clients across the globe.

  • LinkedIn
  • Twitter
  • Facebook
  • Email
  • Print

Tagged With: Cyber hygiene, Healthcare Ransomware, healthcare security, healthcare security breach, Hospital-acquired infections, Patient Data Breach, Ransomware Attacks, secure patient data

Tap Native

Get in-depth healthcare technology analysis and commentary delivered straight to your email weekly

Reader Interactions

Primary Sidebar

Subscribe to HIT Consultant

Latest insightful articles delivered straight to your inbox weekly.

Submit a Tip or Pitch

Featured Insights

2025 EMR Software Pricing Guide

2025 EMR Software Pricing Guide

Featured Interview

Paradigm Shift in Diabetes Care with Studio Clinics: Q&A with Reach7 Founder Chun Yong

Most-Read

Medtronic to Separate Diabetes Business into New Standalone Company

Medtronic to Separate Diabetes Business into New Standalone Company

White House, IBM Partner to Fight COVID-19 Using Supercomputers

HHS Sets Pricing Targets for Trump’s EO on Most-Favored-Nation Drug Pricing

23andMe to Mine Genetic Data for Drug Discovery

Regeneron to Acquire Key 23andMe Assets for $256M, Pledges Continuity of Consumer Genome Services

CureIS Healthcare Sues Epic: Alleges Anti-Competitive Practices & Trade Secret Theft

The Evolving Role of Physician Advisors: Bridging the Gap Between Clinicians and Administrators

The Evolving Physician Advisor: From UM to Value-Based Care & AI

UnitedHealth Group Names Stephen Hemsley CEO as Andrew Witty Steps Down

UnitedHealth CEO Andrew Witty Steps Down, Stephen Hemsley Returns as CEO

Omada Health Files for IPO

Omada Health Files for IPO

Blue Cross Blue Shield of Massachusetts Launches "CloseKnit" Virtual-First Primary Care Option

Blue Cross Blue Shield of Massachusetts Launches “CloseKnit” Virtual-First Primary Care Option

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

Osteoboost Launches First FDA-Cleared Prescription Wearable Nationwide to Combat Low Bone Density

2019 MedTech Breakthrough Award Category Winners Announced

MedTech Breakthrough Announces 2025 MedTech Breakthrough Award Winners

Secondary Sidebar

Footer

Company

  • About Us
  • Advertise with Us
  • Reprints and Permissions
  • Submit An Op-Ed
  • Contact
  • Subscribe

Editorial Coverage

  • Opinion
  • Health IT
    • Care Coordination
    • EMR/EHR
    • Interoperability
    • Population Health Management
    • Revenue Cycle Management
  • Digital Health
    • Artificial Intelligence
    • Blockchain Tech
    • Precision Medicine
    • Telehealth
    • Wearables
  • Startups
  • Value-Based Care
    • Accountable Care
    • Medicare Advantage

Connect

Subscribe to HIT Consultant Media

Latest insightful articles delivered straight to your inbox weekly

Copyright © 2025. HIT Consultant Media. All Rights Reserved. Privacy Policy |