Security in Healthcare

The U.S. Department of Health and Human Services (HHS) has a legislation in place that help tomitigate the risks, and assist organisations in developing effective data governance policies. Data governance refers to a practice’s ability to safeguard it’s patient’s confidential information, & anyone involved in the field of healthcare profession needs to be aware of the Health Insurance Portability and Accountability Act (HIPAA). Check out these websites for more information:

• www.HHS.gov — has detailed information about the legislation;
• www.healthIT.gov — has information about interpretation and compliance.

In general, these legislations mandates two types of compliance, required & addressable.

The ‘required’ regulations are compulsory for all healthcare providers while ‘addressable’ provisions are more flexible in that they take into account that not all organizations command the same degree of resources, and that compliance will be a tailored response.

Below provided are top 10 best practices for Healthcare Security:

1. Risk Assessment

There are many risks to consider, though some will be more relevant than others. The most common ones are:

Active attempts by hackers to infiltrate your network security to steal information

Distributed Denial-of-Service (DDOS) attacks in an attempt to crash servers

Viruses, malware, and ransomware threats introduced unintentionally by internet use and infected devices connecting to the network

Deliberate theft or corruption of data by employees

Deliberate theft of equipment containing confidential records

Accidental viewing of confidential data by unauthorized people (either the public or employees)

Data loss through hardware failure or software bugs

Every possible risk needs to be identified and a policy introduced to deal with it. Part of the solution will also assign accountability. Policies would also need to include contingency plans outlining what to do when a breach happens. It is better to think ‘when, rather than if’ because security breaches will affect every organization at some point. Also, keep in mind that this is an on-going process that you will need to revisit periodically. The real world is dynamic & technology evolves, employees change, and government regulations are constantly being updated. Keep on top of things by scheduling regular audits.

2. Data Security

Encryption is the cornerstone of digital privacy and security so you need to make sure it is employed everywhere. No patient data should ever be stored in unencrypted form. Use industry-standard encryption algorithms. Ensure all hard drives and mobile devices have encryption enabled. If you ever need to destroy records, research how to do it effectively and permanently. The same applies when you retire old hardware. If you cannot guarantee a device has been wiped permanently, don’t recycle it.

3. Network Design (Physical & Software)

Whenever you build or update your workplace or network, do so with security in mind. Servers should be located in locked rooms. For critical areas you might even want to consider installing cameras. Choose operating systems designed with enterprise-level security. Linux is a great choice for workstations and servers because it provides superb access control. Install firewall software to protect your network from external internet threats; better still, invest in a commercial-grade hardware firewall. Wireless networks should employ the latest encryption standards and if they can’t, consider upgrading to something current so you get the manufacturer’s security updates

4. Security Trending Technologies

Mobile computing is the next ‘big thing’ and it’s almost certain that mobile devices will eventually become part of your practice’s network at some point. You’ll need to ensure that you have policies in place to secure these devices. Policies may include restricting the removal of devices from their designated area of use or installing Mobile Device Management software (MDM) to enforce security policies on devices taken offsite. Cloud computing is the other area of rapid growth. If any of your data is going to be accessible over an internet connection you need to be absolutely certain it is secure. Work with the vendor to ensure security is included in every facet of their system. If there is any doubt, choose a vendor with a proven track record.

5. Common Practices

It might seem strange to include a list of things as obvious as these but, unfortunately, most workplaces still don’t get them right. Remember, many employees will have very average IT skills and it’s human nature to take shortcuts. Getting the basics right goes a long way towards hardening security:

• Ensure passwords are strong. They should be at least 8–10 characters long and contain a mix of upper and lower case letters, numbers, and symbols (i.e. “!@#$%^&*()_?><“). Never include easily guessable elements like birthdates, and never write them down. Check out ubergizmo.com for suggestions.
• Ensure passwords are changed regularly. This applies to logins for operating systems and best practice medical software. It also applies to wireless network passwords.
• Use security logs to monitor suspicious login attempts and network activity.
• Remove or disable unnecessary accounts that are no longer required, particularly for ex-employees.
• Prevent unauthorized software installation. Malware and ransomware is now so prevalent that installing unvetted software just isn’t worth the risk.
• Remove unnecessary software and browser plugins. Three of the most notorious security concerns for admins are Adobe Flash Player, Adobe Acrobat Reader, and Oracle Java.
• Restrict access to dubious websites. This can be done at a system administration level.
• Restrict access to social media and chat clients on work machines. Consider allowing staff the freedom during downtime to access these on their own mobile devices.
• Restrict access to physical ports on work machines. For example, USB flash drives are notorious for infecting machines as well as facilitating data theft. If you have to allow access, enforce mandatory scanning of all media upon insertion.
• Never use outdated software. Windows XP and Internet Explorer can still be found on work machines even though they haven’t received security updates from Microsoft for years! If your hardware isn’t capable of running the latest software, consider updating that too.
• Finally, don’t assume that reputation is a guarantee of quality. For years admins blindly installed Norton Antivirus because it was the “security standard” even though there were better alternatives available. Research is critical before any important decision. For example, check out www.av-test.org to see if your security software is up to the task.

6. Assigning Specialist

Technology security is so complicated and so important that it has spawned its own industry. Unfortunately, not everyone can afford to hire a permanent consultant but what they can do is assign someone with excellent technology skills to take responsibility for the practice’s security. And because security is so closely related to privacy, the roles can be combined into one. This person will need to study the government’s compliance documentation to ensure that guidelines are being followed appropriately. They will also need to ensure that current policies remain effective by reading security bulletins and observing industry trends. Within the practice, they’ll be responsible for updating operating systems and software, and ensuring that firmware for medical equipment is patched. Because of their intimacy with practice policies and procedures, they might also be a valuable asset for staff education and training. As they gain experience in their role, they’ll also be able to provide important feedback to management about any potential problems that need addressing. Enterprise Security team would be the best fit for this job.

7. Documentation

Whenever you build or update your workplace or network, do so with security in mind. Servers should be located in locked rooms. For critical areas you might even want to consider installing cameras. Choose operating systems designed with enterprise-level security. Linux is a great choice for workstations and servers because it provides superb access control. Install firewall software to protect your network from external internet threats; better still, invest in a commercial-grade hardware firewall. Wireless networks should employ the latest encryption standards and if they can’t, consider upgrading to something current so you get the manufacturer’s security updates.

8. Regular evaluation & Audit

Curiously, security isn’t an attainable state; it’s an evolving ideal which you can never take for granted or become complacent with. For this reason, regular evaluation of policy and procedure is an essential part of the data governance process. You’ll need to critically assess all of the items on this list to determine what is working well, what needs improvement, and how you might go about doing it. This could be done internally or through external audit, depending on your practice’s size and resources. The good news is that by following a systematic approach, even the smallest healthcare practice will be able to comply with regulations and ensure its sensitive and confidential data is protected.

9. Education & Training

It is often forgotten just how important employees are in a modern practice — they are the interface between you and your patients. A little investment in them will pay big dividends in the long term. Employees with a vested interest in their workplace are more likely to care about security and less likely to quit. And just as medical and IT professionals need on-going training, so too do your support staff. Regular training helps remind them about good security and privacy practices, as well as ensuring they are ready to respond swiftly and appropriately when something goes wrong.

10. Contingency Planning

It’s inevitable that at some point something will go wrong, so every practice needs to develop and document a comprehensive back-up plan. This is part of disaster planning. During your risk assessment phase you’ll need to determine what information you need to back-up and how you will go about doing it. You’ll also need procedures for restoring back-ups following a disaster. Many modern healthcare management systems now include data archival solutions, with updated records stored offsite in the “cloud”. You can get advice about features like this by talking to a support person from your software’s developer.

Prevention:

• Educating Employees: Helping employees understand the role they play in cybersecurity and the impact it can have on patients’ lives fosters an atmosphere in which security is valued and respected. Regular briefings and communication on the state of the organization’s security reiterate the emphasis the organization is placing on cybersafety. Attending staff training sessions and making cybersecurity a regular topic in meetings could also help drive this message home.
• Establishing Procedures: Create a plan that outlines specific protocols for dealing with information and networks — both physical and virtual — and make sure they are followed. By explicitly expressing the expectations, the process becomes standardized, allowing more comprehensive oversight for network security monitors. Developing appropriate penalties for failure to follow the procedures not only discourages inattentive behavior that may threaten your ability to stay in compliance with HIPAA but also underscores the value you place on keeping patient information secure.
• Require Software Updates: Cybercriminals often take advantage of holes in outdated software or other unsecured access points. To combat this, force software updates on machines, utilize two-factor authorization and automatically institute monthly password updates that require characteristics of a “strong” password. You can help your employees out with this by automatically setting company machines to periodically require such changes so that employees only have to come up with a new password or click to allow updates. Once again, this can be incredibly difficult to enforce on staff personal devices, so educating employees on the importance of updates is crucial.
• Set Strict Personal Device Regulations: Healthcare providers should establish strict protocols regarding the use of mobile devices, as well as the disposal of hardware that has contained sensitive information in the past. Mobile device management (MDM) software allows your IT administrators to secure, control and enforce policies on tablets, smartphones and other devices, ensuring employees don’t break significant policies, and your data stays safe.

Minimise Security Threats:

• Understand Your Network Map: Utilize technology that provides an overview of the devices and storage on your network. In this way, you can see exactly what information is vulnerable in which ways, and you’ll know when new or unauthorized devices have joined the system. This layout will also help you establish the access and restrictions for each device on the network, cutting down on inappropriate staff conduct.
• Update Your Software: Be sure all software and operating system information is up to date. These updates include critical patches that discourage potential cybercriminals who jump on previously-found weaknesses in software. If you do not utilize the proper software updates, criminals can still take advantage of the holes left behind by earlier versions.
• Virtual Private Network Encryption: Encrypting your network connection is a great way to enhance network privacy and block potential hackers. A Virtual Private Network (VPN) encodes your data so that other viewers cannot see what goes out or comes in on your computer. So even if they are monitoring your connection, they would not receive anything unless they already had access to your computer.
• Conduct Regular Audits: System administrators should conduct regular audits, and there should be two-step authentication in place that requires anybody looking to adjust information or enter new data to verify their identity. All users should be required to create strong passwords and change them after a predetermined number of weeks. Access credentials should also be reviewed regularly to ensure previous or transferred employees do not have access to patient data.
• Set Strict Access: Rather than thinking solely about what you need to restrict, consider data from this viewpoint: What do certain employees need to access to do their job? This establishes a context in which the minimum amount of information is available, cutting the possibility for staff misuse.
• Think Like a Hacker: By understanding the basics of how a cybercriminal manipulates a network, you will be in much better position to impede their efforts. While it may be difficult to account for this without a background in healthcare data security measures, this crucial step will highlight any potential gaps in your plan.
• Use Professional Services: Though there are many ways health organizations can limit potential threats, your area of expertise is utilizing information to help patients, not managing data security measures in healthcare. By assigning network security to a specialized outside agency, you receive professional network safety and support, allowing your staff to focus more directly on medical-related tasks.

required & addressable.

In general, this legislation mandates two types of compliance — required and addressable. The ‘required’ regulations are compulsory for all healthcare providers. The ‘addressable’ provisions are more flexible in that they take into account that not all organizations command the same degree of resources, and that compliance will be a tailored response.