Cybersecurity continues to be an important part of information technology (IT) services in hospitals and healthcare facilities. To help hospital C-suite and senior leaders understand the vital role of cybersecurity, we’re sharing some of the top questions we receive at Pixel Health and our answers for improving security and protecting patient data.
1. Where is my IT system most exposed to risk in a healthcare setting?
Individual users of an IT system represent one of the largest risks as sophisticated social engineering techniques can be difficult to detect. Cybercriminals commonly use social engineering to gather information about a target and send phishing emails. If successful in phishing, they can compromise business email, obtain login credentials, and/or install malware.
User education is the first line of defense to ensure every user of a mobile device, phone, or laptop is trained to recognize phishing/smishing/vishing attempts.
2. Where does a healthcare system start when evaluating its current cybersecurity?
A gap analysis is a systematic approach to evaluating an organization’s entire security suite. This involves examining the different levels of security, which include:
- Device endpoint security: Antivirus software, endpoint firewalls, and web content filtering can represent the first layer of defense.
- Network security: Intrusion prevention/detection systems along with a second level of firewall protections and web content filtering can be set at the network level.
- Login security: The use of multi-factor authentication (MFA) can lower the chance of compromise through social engineering. Remote/hybrid users using the remote desktop protocol (RDP) can be considered a vulnerability, especially if their systems are public-facing and don’t require MFA.
By evaluating an organization’s entire security suite, the resulting gap analysis report details where to improve cybersecurity from a technical standpoint.
3. Beyond technical solutions, what else is needed to reduce security risks?
Administrative controls represent an important facet of best practices in cybersecurity. Policies and procedures should be in place to outline acceptable use policies, such as the use of company email only for company business, rules about internet browsing for personal use, and the level of administrative and security controls needed for performing work with personal devices (known as “bring your own device” [BYOD]).
User awareness training is essential, and the industry is trending toward “microtraining” with quick weekly or monthly reminders to engage employees and remind them to be vigilant when interacting through their devices.
Healthcare organizations should also have plans in place for any change in a network or system as part of their business continuity planning.
4. What do we need to do for cybersecurity safeguards to meet insurance requirements?
Insurance questionnaires often include extensive questions related to data security, such as data backup methods, network configurations, encryption, and backup testing. If an insurer recognizes risk with some of the current IT systems, the premiums could be high (or not renewed) until any recognized security issues are resolved.
5. What do we need to prepare for the worst-case scenario of a breach?
An incident response plan is a key part of disaster recovery planning. This includes policies and a playbook that outlines the process. If personal health information (PHI) is exposed, HIPAA’s Breach Notification Rule outlines the steps to take, depending on the number of individuals affected.
An annual or semi-annual test run can help organizations review and coordinate their incident response tasks. These tests can be as simple as going through a checklist to the more complex test of simulating an incident in what is called a tabletop exercise. In this low-stress scenario, the urgency and anxiety of the operations are removed, allowing the team to critically evaluate their incident response plan and make recommendations for ongoing improvement.
Pixel Health understands the importance of protecting patient information. Our team is here to help you ensure your systems, people, and properties stay safe.
Contact the Pixel Health team to learn more about our cybersecurity solutions.
