- Electronic health data is never fully protected and with the growth of health IT infrastructure, data is more susceptible to cyber attacks. Cybersecurity is a large part of any network, cloud, or wireless infrastructure and is necessary for all deployments. Networks need to be protected against malicious attacks and service failure to keep protected health data safe, and quickly resume normal activity after an outage.
Several government organizations have resources readily available for healthcare institutions. According to the Department of Health and Human Services (HHS), these resources are needed to mitigate cyber threats and strengthen cybersecurity in the HPH sector in order to address potential vulnerabilities. HHS provides a checklist that “outlines several hardware, software and educational items organizations should consider and implement to protect their digital infrastructure.”
Implementing security protocols for hardware is the first step in ensuring an organization’s infrastructure is protected. Never leave devices with network access out in the open and lock up any company devices at the end of the night. Lost or stolen devices need to be reported immediately, and special permissions must be granted for data transfer off of a device via USB or disk.
If an employee leaves an organization or is given a new devices, wiping all user data off the device ensures another user won’t come across it. Deactivating old user accounts for former employees safeguards against unauthorized users gaining access.
Protecting software is the next step in preventing protected health data from getting into the wrong hands. If a hacker does gain access to the network, encrypting the data protects it from being compromised. Instead of giving employees access to the entire data center, limiting access only to the programs, applications, and data each employee uses regularly will limit the amount of user vulnerabilities.
Regularly scheduled software audits and anti virus scans alert IT if any unauthorized software applications were installed without the user’s knowledge. Network firewalls and secure VPN connections protect data from outside access.
The HHS checklist stresses the importance of EHRs and advises organizations to “configure any EHR system or database to require specific access permissions for each user; inquire with the EHR vendor to determine how they provide updates and technical support.”
Educating users and establishing a policies for disaster recovery and the dangers of vulnerable data prevents user error attacks. Conducting information sessions about phishing, spyware and informing them of the laws surrounding healthcare data can go a long way in preventing careless mistakes.
Many users don’t realize that accessing the network from a public Wi-Fi hotspot or not changing their passwords often enough can leave the door open for hackers.
Other government programs can assist further in making sure an organization's health IT infrastructure is secure. The Computer Emergency Readiness Team conducts a no-cost assessment to “evaluate an organization’s operational resilience and cybersecurity practices.”
The Department of Homeland Security offers the Enhanced Cybersecurity Services (ECS) program which is a voluntary information sharing program. It “assists critical infrastructure owners and operators to improve protection of their systems from unauthorized access, exploitation, or data exfiltration.” The ECS shares government cybersecurity information with qualified commercial service providers in order to improve security. Healthcare organizations participating in this program get the benefit of security evaluations, and use of the data collected to improve internal operations.
Programs like these are not mandatory for healthcare organizations, but they can be useful to smaller practices with small IT departments. Not all practices are aware of how to conduct evaluations, leaving their networks vulnerable in some areas. These resources aim to serve organizations of all sizes and can bring to light areas where health IT infrastructure needs to be improved.