It is universally acknowledged that frequent hand washing can prevent the spread of infections – and yet, there are health care workers who don’t wash their hands. The use of motorcycle helmets can dramatically reduce the chances of head trauma during accidents, but over 25% of people don’t wear one while riding.
This same pattern emerges when it comes to cybersecurity in the health care space. Health care organizations can take several straightforward measures to preserve cybersecurity, but hospitals and health systems do not always follow these protocols. Unfortunately, some high-profile organizations have experienced data security lapses in which protected health information (PHI) has been exposed.
Although no electronic system is completely impenetrable, here are five steps organizations can employ to help limit the likelihood of a breach:
1. Acknowledge The Threat Is Real
While it is easy to see how someone with nefarious intentions might target a bank, credit card company or retail establishment to illegally access money, social security information or other financially related items, it is often harder to conceptualize why someone might hack a health care organization’s systems.
However, these entities can most certainly be a target for criminals, especially in the area of ransomware – a type of malicious software that holds patients’ PHI and financial data hostage until the hackers who deploy it receive payment. This is such a credible threat to health care organizations that the FBI has issued stern warnings about ransomware and the risks it presents to these types of organizations. Health care facilities must recognize that, without strong security measures, they are putting themselves and their patients at risk. To help alleviate this risk, they must make a commitment to creating and following a comprehensive cybersecurity program.
2. Revisit And Update Protocols
Organizations must have defined security procedures that address how staff access and interact with the technology in their facilities. It is typical for staff to use a pin or multicharacter password to unlock software that houses PHI. Where possible, implementing two-factor identification to further assure privacy is protected adds another level of protection. When setting parameters for pins and passwords, be sure they are sufficiently robust. For example, a pin should be six to eight digits as opposed to four, and a password should include alphanumeric characters as well as symbols. Staff should be required to change their passwords every 30 to 60 days. If they don’t, they should be locked out of the system.
It’s important to unilaterally apply these policies across the organization, from senior management to front-line staff – no one should be exempt.
3. Train And Regularly Update Staff On The Risks And Responsibilities
The effectiveness of an organization’s processes directly correlates with how consistent staff are in following those processes. To that end, organizations should provide comprehensive training on cybersecurity measures and the risks involved if staff members are not diligent about these efforts. For example, staff should be trained to recognize suspicious email communications and not open anything that could be potentially dangerous. They should also be instructed to reach out to IT staff if there is any doubt about an email’s authenticity. Both orientation and refresher training should be offered to ensure employees are regularly updated about new threats and security measures.
4. Obtain A Third-Party Audit
An organization may think it is doing all it can to preserve the privacy and security of its technology, but issues may be missed or overlooked. Every organization can benefit from a fresh perspective. As such, bring in an outside, non-biased entity to perform a detailed audit. The third party can conduct a comprehensive assessment, test weak points, review staff training and recommend improvement strategies so the organization is best protected.
5. Verify Software Has Comprehensive Built-In Security
Whenever a hospital or health system obtains a new piece of software, especially one that stores or exchanges PHI or financial data, the organization should ensure the software provider is committed to the highest levels of security. For example, the company should engage in regular audits of its solution as well as penetration testing to uncover and resolve potential weaknesses. In addition, all protected data found in the solution should be encrypted so that if the software is breached, the information is indecipherable.
If it is a cloud-based product, check that it is housed on a highly secure platform that follows the most stringent FedRAMP standards (the federal government’s access and security requirements for cloud-based computing). If the company provides a mobile app, confirm it does not store clinical information on the mobile device but uses flash memory to make such information temporarily available. This will ensure that if the mobile device is taken or lost, then no one can access the information without a password or other authorization tool.
Prevention Is Worth The Alternative
Like regular hand washing or wearing a motorcycle helmet, health care organizations can preserve data safety by consistently following these basic steps. By committing to the strategies mentioned above, hospitals and health systems can go a long way toward ensuring their patients’ health and financial information remains private and secure.
Originally posted on Forbes Technology Council (view original).