Data protection and infrastructure security continue to be top of mind for hospital IT executives. Healthcare IT departments are revamping their security strategy and upgrading their security platforms to deal with the threat of data breaches and system disruption from malware.
However, with ever-growing threats from cybercriminals and advancements in attack methods, CIOs are eager to take all the right steps to ensure their organization's data is adequately protected. There are several best practices every healthcare CIO should consider to control data access and secure healthcare communication.
Identity management and access control
Multifactor authentication (MFA), complex passwords, single sign-on and access management are critical first steps to ensure only authorized users can access data. Identity management platforms that include MFA and other security components can reduce the risk of a hacker infiltrating an environment by hijacking a user's password. These systems are also important for managing and monitoring user access to healthcare data.
Alternative methods for health data transport
While CIOs continue to work on ensuring the protection of data within the hospital environment, another concern many of them have is around data security and protection during transport. Many of the traditional methods for secure healthcare communication, such as those that use web services, can still be vulnerable. As a result, some security experts are suggesting the use of blockchain as a method to transport healthcare messages securely. Many consider blockchain one of the best methods for freely transmitting data while maintaining security. Hospital CIOs should consider the technology as they look to improve their future data exchange security.
Protect information internally and externally
Hospital staff deal with two sets of data: patient data that is considered protected health information under HIPAA guidelines and business-sensitive data related to the hospital's daily operations. Both sets are important and require the same level of protection. IT must ensure that they maintain access control over data internally and once it leaves the organization's firewalls.
Data loss prevention tools that trigger security events when specific criteria are met ensure that sensitive information is encrypted and prevent it from leaking out. For example, a user emailing protected health data should trigger automatic email encryption. Another example includes when protected data is copied to a local drive or USB flash drive.
Device security and controls
Access to information within a hospital now includes employees using their mobile devices to view health data. As more connected devices enter the hospital network, IT must ensure they have adequate tools to manage and monitor the different security policies around those connected endpoints. These tools would assist in keeping the devices up to date with security patches.
More end-user education and awareness
One of the realities of cyberattacks is that they are not 100% preventable by software and security products. This leaves hospitals vulnerable even if they are using the latest and greatest tools. Hospital CIOs can improve data protection by educating their end users on how to reduce their risk of attacks and infections by recognizing hidden threats. These include phishing emails, fake websites and password requests via email. The risks can be mitigated significantly by adopting an ongoing training and security awareness program to help users avoid harmful websites and email payloads.
Adopt strong employee and vendor policies
A widespread practice that most employers have is proper computer use and access policies for their personnel. This practice ensures that workers understand that as part of their employment agreement, they must be aware of how to handle sensitive data and are responsible for any negligence or foul play. As a result, IT must ensure that the policies in place are clear and employees understand what they mean in practice.
Similar policies that go beyond that go beyond the business associate agreement must be put in place for vendors. IT must ensure vendors that interact with the health system data have the appropriate security protections in place to adequately protect data.
Use intelligent threat protections
It has been estimated that hackers spend an extended period of time within an environment exploring the data and elevating their permissions within the targeted systems. As a result, hospitals must adopt tools that can proactively and intelligently monitor their environment for abnormal activities and maintain channels of secure healthcare communication. Many of the new security tools entering the market have adopted artificial intelligence to detect these activities by evaluating the different logs and user activities throughout the system. Some vendors refer to this new layer of security as advanced threat protection.
Maintain an incident response plan
Regardless of security tools and preventative steps taken to protect against data breaches, healthcare CIOs must always be prepared for the worst and have an outline that details the response plan. The Department of Health and Human Services offers guidance on how to respond to a breach.
The increase in cyberattacks and reported data breaches continues to push health IT executives to do more around their security strategy to prevent data leaks and provide a means for secure healthcare communication. Several events in the last three years have forced health IT executives to move security to the top of the priority list and increase awareness around it. The steps recommended above are meant to provide health IT executives with a set of security practices that will help strengthen their protections in the face increasing threats.
Use a three-layered approach to secure healthcare data
Executives offer advice for hospital cybersecurity
Five reasons healthcare is vulnerable to ransomware attacks