October is Cybersecurity Awareness Month, follow the conversation and do your part #BeCyberSmart.
Follow us this month as we engage our health IT community in cybersecurity awareness as we are all trying to meet the new challenges of working from home and through the pandemic.
This is week 1 and the theme is If You Connect It, Protect It. The line between our online and offline lives is indistinguishable. This network of connections creates both opportunities and challenges for individuals and organizations across the globe. The first week of Cybersecurity Awareness Month will highlight the ways in which internet-connected devices have impacted our lives and will empower all users to own their role in security by taking steps to reduce their risks.
We asked our experts: What can you tell medical practices to help them reduce their risk when using internet connected devices?
Healthcare technology is developing rapidly and providers are leveraging the use of Internet of Medical Things (IoMT) to improve patient safety and healthcare outcomes, and reduce cost, among other things. These devices have the ability to generate, collect, analyze and exchange vast amounts of sensitive patient information. With this power comes additional challenges for providers to integrate these devices while keeping data safe and secure. It is critical to strike a balance between cybersecurity and technology to protect the confidentiality, integrity, and availability of such data. Vetting vendors, proper deployment, and addressing vulnerabilities and mitigating risk, are key areas to focus on for compliance. All it takes is one technology misstep to cause a security breach of Protected Health Information (PHI), resulting in HIPAA fines. To learn more about current HIPAA trends, register for the Virtual HIPAA Privacy and Security Summit, co-hosted by Widener University Delaware Law School and First Healthcare Compliance. The half-day event will be held on November 12, 2020 and will include CLE and CEU credits.
In security generally, but in healthcare particularly, we are always looking for that silver bullet. There is no silver bullet, that’s the first thing I’d tell practices. The second thing is that security is, ultimately, a people issue. People are the first line of defense in cybersecurity and privacy for our people and our patients. They are also the last line of defense. Ironically, the are the least expensive thing to turn into security controls. Just showing people how to do something and that they have to do it that way is not enough anymore. We need to explain to our people, including our patients, frankly, why security and privacy are important, how it impacts them as patients and the laws and regulations that require it. It takes time to do that kind of training – perhaps the most precious commodity in healthcare but it has to happen. We have the technology now to maintain security and privacy for patients, without adding hours to the day. If we have to add 5 seconds to a log in using multi-factor authentication, I think we can explain that to a practitioner or staff member, because they have to understand that the risk is not only to the patient, but the users themselves are also at risk and as we have seen too many times recently, the practice is at risk.
Medical practices normally depend on IT support, which can be from a health system that they are a part of, or from an IT company (e.g., Managed Service Provider or MSP) that has the expertise to assess their connections from an information security standpoint. A large group practice may have its own internal IT support. Electronic protected health information (ePHI) must be periodically assessed for controls and protections when in use, in transit and at rest (stored). In general, an inventory of ePHI locations should be created by categories (e.g., mobile devices, applications, email, etc.), and each category must be assessed to determine controls, gaps, risks and what is necessary to mitigate risks. The world of technology and IOT is ever changing, and 2020 has been a significant example of that due to increases in telecommuting and telehealth applications. The assessment mentioned above, along with risk mitigation activities, must be done by subject matter experts that are typically external to a medical practice.
With internet-connected devices, getting hacked is not a matter of “if,” but “when,” so medical practices need to prepare. I suggest following the five pillars of the NIST cybersecurity framework. First, know what’s on your network at all times – not only a static view from your inventory, but also anything that may unexpectedly appear. Next, keep your systems up-to-date and segregate them via network segmentation. Third, monitor your network and systems continuously. Be prepared to aggregate and analyze logs to identify potential threats or an attack that’s already been successful. IBM says it often takes more than a year for a healthcare organization to discover an intrusion; our industry must do better. Since we probably can’t prevent every attack, having disaster recovery and business continuity plans is essential. Include all cybersecurity risks – from negligence to malicious attacks – from both inside and outside your organization. Don’t forget to rehearse your plans to make sure they’ll work, “if” and “when” you need to implement them. Always think back to the NIST framework: Identify, protect, detect, respond, and recover.
Know what you are putting on your network and the vendor behind those devices. Do they have a strong reputation for security and privacy? It is important that vendors of these devices put security first and that they keep your devices updated with the latest security patches.