IT Support and Hardware for Clinics
32.0K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

Cybersecurity: How can it be improved in health care?

Cybersecurity: How can it be improved in health care? | IT Support and Hardware for Clinics | Scoop.it

It has become increasingly clear that cybersecurity is a risk factor in health care data. Data breaches cost the health care industry approximately $5.6 billion every year, according to Becker’s Hospital Review. The Breach Barometer Report: Year in Review additionally found that there was an average of at least one health data breach per day in 2016, attacks that affected more than 27 million patient records.

 

In a whitepaper entitled The Rampant Growth of Cybercrime in Healthcare, health IT advisor organization Workgroup for Electronic Data Interchange (WEDI) reported that these attacks are becoming increasingly difficult to identify, prevent and mitigate.

“Chronic underinvestment in cybersecurity has left many so exposed that they are unable to even detect cyberattacks when they occur,” the report stressed. “While attackers may compromise an organization within a matter of seconds or minutes, it often takes many more weeks – if not months – before the breach is detected, damage is contained and defensive resources are deployed to prevent the same attack from happening again.”

As organizations seek to protect their patient information from these growing threats, demand for health informatics professionals who are familiar with the current state of cybersecurity in health care is on the rise.

Cybersecurity challenges in health care

The newest cyber vulnerabilities are not necessarily an organization’s biggest cyber threat. Verizon’s 2016 Data Breach Investigations Report found that most breaches are about money and attackers usually take the easiest route to obtain the information they need. Consequently, many common threats continue to be problematic in health care, including:

●  Malware and ransomware: Cyber criminals use malware and ransomware to shut down individual devices, servers or even entire networks. In some cases, a ransom is then demanded to rectify the encryption.
●  Cloud threats: An increasing amount of protected health information is being stored on the cloud. Without proper encryption, this can be a weak spot for the security of health care organizations.
●  Misleading websites: Clever cyber criminals have created websites with addresses that are similar to reputable sites. Some simply substitute .com for .gov, giving the unwary user the illusion that the websites are the same.
●  Phishing attacks: This strategy sends out mass amounts of emails from seemingly reputable sources to obtain sensitive information from users.
●  Encryption blind spots: While encryption is critical for protecting health data, it can also create blind spots where hackers can hide from the tools meant to detect breaches.
●  Employee error: Employees can leave health care organizations susceptible to attack through weak passwords, unencrypted devices and other failures of compliance.

Another growing threat in health care security is found in medical devices. As pacemakers and other equipment become connected to the internet, they face the same vulnerabilities as other computer systems. To ensure patient safety, the U.S. Food & Drug Administration recommended that both the manufacturer that creates the device and the health care facility that implants it take preventive security measures.

Strategies for improving cybersecurity

Due to the significant financial impact of data breaches in health care, health informatics and other professionals are playing an important role in ensuring that medical organizations remain secure.
According to HealthIT.gov, individual health care organizations can improve their cyber security by implementing the following practices:

1. Establish a security culture: Ongoing cybersecurity training and education emphasize that every member of the organization is responsible for protecting patient data, creating a culture of security.

2. Protect mobile devices: An increasing number of health care providers are using mobile devices at work. Encryption and other protective measures are critical to ensure that any information on these devices is secure.

3. Maintain good computer habits: New employee onboarding should include training on best practices for computer use, including software and operating system maintenance.

4. Use a firewall: Anything connected to the internet should have a firewall.

5. Install and maintain anti-virus software: Simply installing anti-virus software is not enough. Continuous updates are essential for ensuring health care systems receive the best possible protection at any given time.

6. Plan for the unexpected: Files should be backed up regularly for quick and easy data restoration. Organizations should consider storing this backed-up information away from the main system if possible.

7. Control access to protected health information: Access to protected information should be granted to only those who need to view or use the data.

8. Use strong passwords and change them regularly: The Verizon report found that 63 percent of confirmed data breaches involved taking advantage of passwords that were the default, weak or stolen. Health care employees should not only use strong passwords, but ensure they are changed regularly.

9. Limit network access: Any software, applications and other additions to existing systems should not be installed by staff without prior consent from the proper organizational authorities.

10. Control physical access: Data can also be breached when physical devices are stolen. Computers and other electronics that contain protected information should be kept in locked rooms in secure areas.

In addition to these recommendations, health data professionals are continually developing new strategies and best practices to ensure the safety of sensitive health data, protecting both the patient and organization from financial loss and other forms of harm.

Working in health care cybersecurity

To improve cybersecurity in health care, organizations need to hire informatics professionals who can not only collect, manage and leverage data, but protect it as well. If you are interested in contributing to this field through a career in health informatics, consider taking the next step in your health informatics (HI) career by pursuing a master’s in Health Informatics. In UIC’s online program you will complete courses in health care information systems that can help you manage the sensitive patient data at risk from cyberattack.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

President Signs Executive Order for Unity in Cybersecurity

President Signs Executive Order for Unity in Cybersecurity | IT Support and Hardware for Clinics | Scoop.it

Executive Order to Promote Cyberthreat Info Sharing

Key Takeaway: President Obama, last Friday, signed an executive order to promote more information sharing about cyberthreats – both within the private sector and between the government and private sector.

Why it Matters: This is the latest in a series of steps taken by the Obama administration to focus on cybersecurity, going back to February 2013. When viewed alongside congressional efforts, there appear to be consensus on a number of items – including the need to bolster information sharing organizations and develop information sharing protocols.

Last week, President Obama signed an executive order (EO) promoting private sector cybersecurity information sharing during the first White House summit on Cybersecurity and Consumer Protection at Stanford University.  According to the EO, “The purpose of this order is to encourage the voluntary formation of such organizations, to establish mechanisms to continually improve the capabilities and functions of these organizations, and to better allow these organizations to partner with the Federal Government on a voluntary basis.”

The main provisions of the EO include provisions directing the Department of Homeland Security to encourage development and formation of private-sector or non-profit sector Information Sharing and Analysis Organizations (ISAOs) and tasks the National Cybersecurity and Communications Integration Center (NCCIC) with coordinating ISAOs.  A second provision of the EO tasks the Secretary of Homeland Security with entering into an agreement with a nongovernmental organization to serve as the ISAO Standards Organization which “shall identify a common set of voluntary standards or guidelines for the creation and functioning of ISAOs under this order.”  The Standards Organization is tasked to develop:

  • Standards to further robust information sharing related to cybersecurity risks and incidents with ISAOs and among ISAOs and to foster development and adoption of automated mechanisms for information sharing;
  • Baseline standards that ISAOs should possess and be able to demonstrate;
  • The standards will also touch on contractual agreements, business processes, operating procedures, technical means, and privacy protections, such as minimization, for ISAO operation and ISAO member participation.


more...
No comment yet.
Scoop.it!

Ransomware:
 How we can climb out of this mess

Ransomware:
 How we can climb out of this mess | IT Support and Hardware for Clinics | Scoop.it

Computer malware seriously disrupted the continuity of clinical operations when WannaCry struck. The Department of Homeland Security began issuing warnings of ransomware vulnerabilities affecting dozens of medical products ranging from radiation oncology and mobile x­rays to ultrasound and anesthesia. Saved by a curious 22­ year ­old who spent $11 to register a domain name that accidentally disabled the spread of the buggy malware (not a joke), the world can rest briefly until the next attack — which could happen again without warning.

Ransomware itself is not the cause of our problems. Ransomware is symptomatic of design flaws baked into the fabric of our healthcare infrastructure. The root cause is a fragile infrastructure filled with legacy medical device software.

When we know about a disease, do we read about it and hope never to get it? No, we vaccinate, avoid risky areas, wash our hands, and seek immediate help after coming in contact with a carrier. In short, we plan ahead for risk management.

So, what's an effective strategy to mitigate the medical device security risks that can disrupt clinical operations?

Simply deploying new technology is not the answer. Replacing old unmaintainable computers with new unmaintainable computers is not the answer either. An effective approach must address five core parts of the healthcare delivery supply chain: manufacturing, procurement, regulation, training and governance.

First, medical device manufacturers must design medical devices to remain safe and effective despite cybersecurity risks. The U.S. Food and Drug Administration already recognizes community standards and best practices such as the AAMI TIR57 for building security into the design of medical devices. Microsoft warned manufacturers from day one of the scheduled obsolescence of Windows XP. The operating system “end of road” hazard signs were unambiguous and forewarned years before reaching the cliff. While manufacturers may have sold the unmaintainable products, hospitals made the mistake of buying them. Hospitals accumulate legacy devices for decades without a financial model to sunset unsecurable products.

With procurement practices such as the cybersecurity “vendor book” from the Mayo Clinic, hospitals should factor meaningful cybersecurity into purchasing decisions. Medical devices should come with a bill of software materials to enable risk­based purchasing decisions. Hospitals need to buy and maintain better equipment with better service contracts — and they need to keep track of their inventory down to the port numbers, ethernet MAC addresses, and software versions so they can better manage risk. Manufacturers should give providers a database that maps medical device serial numbers to MAC addresses to make network-based inventory tracking feasible.

Governments should consider construction of a test hospital for national cyber crashworthiness trials of healthcare infrastructure. The automotive manufacturing community performs crashworthiness testing so consumers can know the risk. Although patients prescribed a medical device are far safer with the device than without, patients and hospitals deserve to know what risks they are accepting when receiving or purchasing a medical device.

Regulators must take into account the geographic problem that malware does not respect international boundaries. The same core cybersecurity problems exist everywhere, and healthcare IT cultures in different countries suffer from surprisingly similar computing problems. Medical device regulators such as FDA, MHRA in the UK, and CFDA in China need informed authority and legislative remit to ensure that medical devices remain safe and effective despite cybersecurity threats.

Who is liable for problems? Who feels any economic incentive to fix things? Unfortunately, not the entities with the most capability to address the causes, as the recent ransomware fiasco illustrates. Governments could mandate a phasing out of unsecurable devices and operating systems with penalties assessed by the HHS Office for Civil Rights, for the case of the U.S.

Fighting international criminals with considerable economic incentive will remain a continually losing battle without a coherent and fair regulatory strategy. For instance, the Criminal Justice Act in the UK assumes that information technology makes no security mistakes. Such poorly designed laws open the door to misguided prosecution of well­intentioned doctors and nurses for shortcomings in the medical systems and devices themselves. Legislation ought to incentivize cybersecurity and safety for manufacturing medical devices rather than penalize innocent healthcare delivery professionals and patients who make fair and reasonable attempts to report problems to manufacturers or regulators.

Workforce shortfalls remain a great barrier to cybersecurity. Few of our computer science students choose to work in healthcare. We need to focus attention on the great opportunity for computer science students to help improve healthcare. Double major in biomedical engineering! Manufacturers and governments should offer prestigious graduate fellowships to attract the best students to the field so that manufacturers, hospitals, and regulators can fill their open cybersecurity positions.

Finally, hospitals need effective governance structure for controlling software safety risks in medical device. A hospital should designate a top­level executive with the authority, responsibility, accountability, and budget for cybersecurity in the pursuit of healthcare safety that covers both the biomedical engineering and IT departments.

No medical device is perfectly secure, but a hospital should gracefully recover from cyberattacks rather than suffer system­wide outages for days. Patients should never be forced to doubt in the availability and integrity of healthcare delivery. Security is a means to an end, and that end goal is safe and effective delivery of healthcare.

The recent global outbreak of ransomware is just the symptom du jour, and it’s time to act on recommendations to improve cybersecurity in manufacturing, procurement, regulation, training, and governance. Until cybersecurity becomes as second nature as hand washing, we should expect the cybersecurity problems to increase in frequency and consequence.

If there’s any silver lining, perhaps manufacturers, healthcare delivery organizations, and governments will begin to think more strategically rather than reactively to improving healthcare cybersecurity.

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.