In the past 18 months, there have been breaches of security related to protected health information (PHI) at Broward Health, Florida Healthy Kids, and the Accellion FTA Hack. In turn, these breaches resulted in 11 more healthcare organizations getting exploited. Clearly, cybersecurity for protected health information should be top of the IT department’s list. Yet again and again, these vulnerabilities continue to get exploited. Is ensuring the security of healthcare data becoming a job of rolling the boulder uphill?
Hippajournal.com cited in an article from December 2021 that “The Department of Health and Human Services’ Office for Civil Rights’ breach portal shows 686 healthcare data breaches of 500 or more records in 2021, and that number is likely to grow over the next couple of weeks and could well exceed 700 data breaches. As it stands, 2021 is already the worst ever year for healthcare data breaches, beating last year’s record of 642 data breaches.”
Secure Protected Health Information (PHI) With These 9 Practices
So what does this mean for IT and Cybersecurity leadership? Knowing that you don’t want to make that “HIPAA Wall of Shame”, it means you need to double down on education, experience and tools to help prevent these types of breaches and 2022 is the time to do it. Our team has shared a list of things we take seriously here at SPK when working with our clients. We want to share these with you to advance your own internal security and to help prevent potential negative outcomes.
1. Maintain And Train On A Data Breach Response Plan/Policy.
The details of what healthcare organizations need to do in response to a breach is documented in the HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414. However, there are many steps that you’ll want to have readily available. You will need to be able to execute them rapidly in the event of a breach.
It is essential to have a thoroughly constructed and tested health data breach plan. Many different parts of an organization should contribute to this plan’s creation and testing. In addition, they must be made aware of their responsibilities in advance so they know how to act when a breach occurs.
The health data breach response plan should divert resources to deal with the breach without severely impacting the business, and still comply in a fast and efficient manner. Some companies engage consultants like SPK and Associates to assist with a HIPAA breach response, or even continually involve them from the time a plan is drafted. By keeping an external expert engaged continually, you reduce the risk. External experts typically have more than one client and understand regulation changes and common attack vectors. As such, they will see patterns before your organization may.
A communications plan must be developed. In the event of a ransomware attack when systems are taken out of action, or when networks need to be shut down to minimize damage, everyone in the organization will know what is going on and how to act. When we engage with clients, SPK can provide templates that start to frame a proper response plan.
2. Keep Software Up-To-Date.
One of the biggest security holes for protected health information is outdated or unpatched software. Software updates come out from time to time to add new features and functions. But a core driver of software updates is related to security and reducing risks. Software manufacturers are aware that to reduce enterprise risk they must have a robust software update alerting mechanism. Clients with this software will either need to update by hand, or enable/allow automatic updates. For the enterprise IT department, this means either ensuring users follow the update path, or managing it for them.
Software vulnerabilities come in all shapes and sizes. Some of those vulnerabilities target individual end users, but many of those vulnerabilities target business users. With the rise of remote work due to COVID-19, there is a blurred line between “my work computer” and “my personal computer.” So, not only is corporate IT responsible for the security of your work devices, it also needs to account for your personal device security. This includes things like tablets and phones that others in your home may be using.
Better Systems and Standards
In order to handle such a situation, especially since the increased remote work forced by the pandemic, IT and security departments are creating better systems and standards. The systems must be supported by a set of tools that keeps software updated, and knows when software is not updated (knowing the risk is half the battle). One key point made by cybersecurity and IT professionals, is that “not everybody needs all software.” If you limit the types of software issues that can exist, this reduces the vector of attack for a hacker. Another helpful practice is to set policies for automatically accepting updates. Finally, be sure to train employees to vigilantly keep an eye on the tools they are using and what goes into them. It is a huge help to increase end user knowledge and provide them with self service options.
3. Review Vendor Hardware And Virtual Devices Regularly.
Yes, there are crazy stories out there about hardware being counterfeit or hardware that has an embedded malware on it. No, those things don’t just happen in spy novels. It is possible for them to happen in real life. However, those aren’t the most common problems related to hardware and virtual devices.
More commonly, we see appliance devices or virtual devices that go out of support. Either the OEM no longer exists or the organization didn’t renew (or forgot to renew) their support, which normally includes updates. With out-of-date support and software, serious security gaps emerge. These are the sorts of vulnerabilities we see, rather than James Bond inserting a USB drive into a computer at Fort Knox.
In order to modernize, IT leaders must ensure there is a decommissioning strategy for legacy systems. This strategy should budgeting for new systems or services, and identifying the benefits of it. Make sure your decommission plan has detailed instructions on all the steps of decommissioning, and how you’re going to handle or mitigate the risks until such time that the legacy system is decommissioned.
4. Use And Maintain A Secure File-Sharing Solution With Regular Policy Checks.
With tons of data being transmitted over the internet every minute, it’s hard to know which small bits of that are vulnerable. And yes, protected health information (PHI) data is some of the most sensitive data being stored on computers and servers today. However, with the rise of the digital economy, we all had to find a way to share larger files with others in order to conduct business. In doing so, you expose private and public (or at least not PHI) data to the same user, which is making a decision on what to share with the world. So, obviously security is a huge consideration when implementing one of these file-sharing solutions.
On the positive side of file sharing, you can allow individuals inside your company to share large files over the internet with others they are working with (either employees, contractors, or external entities). This makes it easier to collaborate. All good things, right? Well, the potential risks that IT and cybersecurity professionals have to deal with include concerns about tracking and trackability, a higher risk of viruses or malware infecting more than just one user, and the support for permissions or different types of sharing options.
When looking at sharing services, pick a service that offers end-to-end encryption. This protects you from external hackers and also prevents the host itself from viewing your data. Run audits to see who is accessing your files and look for anomalies. Studies say that almost 60% of files that are on a file sharing service are never shared. These practices can reduce your vectors of attack as well.
5. Enforce Strong Password Policies On All Systems.
I get it. Many of us have been around long enough to see the mandatory password changes every 30 or 60 days and we have scars from it. But a strong, smart password policy is your first line of defense against a potential attacker. It is a foundational layer of your security plan.
According to Digicert, technology should facilitate, not complicate passwords. Things like two-factor authentication can be employed on many different types of applications now, and you can make security easy if you follow their simple 4 step process.
6. Use And Manage A Robust Security System (Including IDS, IPS, A Trusted Anti-Malware And Antivirus Platform).
Since the data held by healthcare organizations is extremely sensitive, you should consider having an Intrusion Detection System (IDS) and/or an Intrusion Prevention System (IPS). These systems detect or prevent attempts to compromise the confidentiality, integrity or availability of your systems. IDS or IPS products are software (and potentially hardware) tools that can assist in protecting an organization from intrusion. Intrusion detection and prevention capabilities can help a company secure its information. The tool could be used to detect or prevent an intruder, identify and stop the intruder, support investigations to find out how the intruder got in, and stop exploitation by future attackers.
Anti-Virus and Anti-Malware
Anti-virus and anti-malware tools are essential for identity protection, corporate information protection, and safeguarding protected health information (PHI). With the right antivirus and anti-malware applications, you can protect against large numbers of attacks and prevent issues before they arise. But until recently, doing so at a large enterprise level was expensive, time consuming and support heavy. With newer tools that are more user friendly, more efficient, and easier for remote management, IT staff are experiencing lower overhead on these types of implementations. Also, because of the lowered support costs, it allows organizations to purchase more licenses for other personal devices such as cell phones, which are also an attack vector.
7. Conduct Routine Security Awareness Training For All Staff Members.
An ounce of prevention is worth a pound of cure. It costs very little in the grand scheme of things to educate your employees to the threats and vulnerabilities they unconsciously face when working within the day-to-day technology systems. There are courses that will provide working knowledge of cyber intrusion methods and cybersecurity countermeasures. These can assist employees in preventing cyber attacks and protecting their systems and information.
8. Review And Manage Your Access Controls On A Regular Basis.
This may sound very rudimentary, but many exploits are simply from past employees that were never removed from systems. In this type of check, you’ll want to ensure that you cover the policy of deciding when former employees/contractors no longer need access. Then, this must map to a process that ensures they are removed from the system. When employees are terminated, they should be removed from systems immediately. Also, who has access to add/remove individuals to access control lists? Are the additions and removals logged so that accountability can be assigned and others can check systems? Who is monitoring employees’ and vendors’ systems access? Another issue is password or account sharing. By looking at IP address location or other data, you can manage and determine if this type of behavior is happening. Account credentials (login and password) should only be used by the person for whom it is created.
9. Conduct Penetration Testing Regularly.
Consider using a third party vendor to conduct penetration tests of your infrastructure. Or, you can use existing staff to conduct these tests from unauthorized accounts or computers. Systems should be able to detect this and act or report as needed. Determine the scope of the systems you want to test. Be sure to take into account the risks and resources needed to test. In many cases, these tests can help determine problems before they are found and used to breach your data.
Safeguarding protected health information (PHI) is difficult. But, with the proper measures to address risks, it can be done wisely. Hopefully, our list has added value to your own list of security checks that you’ll apply in 2022. And while the information provided here is important, it differs from the cybersecurity measures that are needed for medical technology products. What is addressed here focuses on cybersecurity from an IT or internal data perspective. There is another angle of cybersecurity related to products that may contain PHI. We’ll talk about that more in a future post.