IT Support and Hardware for Clinics
32.1K views | +1 today
Follow
IT Support and Hardware for Clinics
News, Information and Updates on Hardware and IT Tools to help improve your Medical practice
Your new post is loading...
Your new post is loading...
Scoop.it!

9 Healthcare Cyber Security Tips to Help Protect Your Data

9 Healthcare Cyber Security Tips to Help Protect Your Data | IT Support and Hardware for Clinics | Scoop.it

As a forward-thinking individual who wants the most for your medical practice, you already have recognized the importance of using cloud-based healthcare software. The cloud uses multiple redundant facilities to store data to keep it safe in the event of a catastrophic breakdown in any one server center. Its information technology staff is focused on keeping the data safe and secure as well, and is devoted to making sure your patients’ records are available 24/7/365, even when cyber attacks plague institutions that are connected to the Internet.

 

Anyone who has been paying just cursory attention to the news will undoubtedly be aware that healthcare organizations are becoming a huge target for criminal computer hackers. You also know about the potential negative effects that a data breach will have on a practice, including loss of time and money and eroding the trust patients have placed in your organization.

 

Hospitals, doctor offices, and clinics have been exposed to cyber security threats that can cause grave repercussions. A common method of attack is to install ransomware. Once a medical organization’s system has been compromised, often because an employee clicked a link in a sketchy email, all the patient files are held hostage until ransom is paid. Computer viruses can arrive via email, text messages, and websites that are set up just for the purpose of attacking naive and unsophisticated end users.

 

So while the IT department of your cloud services provider will be handling security on their end, you still have to contend with potential security issues in your own office and make sure that your staff knows what to do to protect patient information.

With that in mind, here are 9 tips that will help improve healthcare cyber security in your organization and reduce the chance of attacks.

1. Ensure Staff is Properly Trained on Healthcare Cyber Security Protocols

In most situations, the weakest cyber security link in your medical practice will be the user. Ensuring that your staff knows all proper measures to take (and enforcing these measures) makes the organization as a whole more secure.

You may need to bring in a consultant who can first address the knowledge level of your team and then provide some training to get everyone caught up on the latest security protocols.

2. Don’t Put Off Software Updates

You are busy, and you do not like the idea of taking your computer system offline to conduct basic software updates. However, neglecting to get the latest version of your now outdated software leaves your devices much more vulnerable to attack. Any security patches that come with the update will be unavailable to you.

Criminal hackers take advantage of people’s complacency and can sneak into antiquated systems more easily than systems that have the latest protection.

3. Control Access to Protected Patient Data

You’ve undoubtedly seen news accounts of patients whose private information was stolen by hackers. These sensitive details are protected by the Health Insurance Portability and Accountability or HIPAA act. If you fail to keep this data secure, the results can be disastrous. Criminals hackers use confidential patient details to commit identity theft, take funds from bank accounts, and otherwise cause a great deal of havoc.

Have your security team carefully control access to patient records, only allowing authorized individuals to access the details. You can audit the system to verify who accessed what and when. It’s important to remove access from employees who have been terminated, to keep them from getting into the system and causing problems in their bid for revenge. Healthcare software like electronic health record applications make information access much easier to control.

4. Don’t Use the Same Password for Everything

Using easily guessed passwords or the same password for all platforms significantly increases vulnerabilities. Human nature will motivate your employees to use just one simple password to access their information, but this is a big mistake.

It can be tempting to set up one password to check your email, access your bank, and favorite online store as well as the see patient records, but convenience and ease of logging in instead of following patient security requirements have no place in a modern office’s computer systems.

All a criminal needs to do is discover one working password, and then apply it to all the other accounts that the victim uses. The convenience of one password leads to a catastrophic theft of data. Criminals can cause even more mischief if they get into the system and actually change information in patient files.

An easy solution is to force employees to generate new passwords on a periodic basis. That way, even if a criminal does manage to grab one particular login credential, access will soon be cut off as soon as you do the next update.

5. Store Passwords in a Secure Place

Instruct your team to never include passwords in a shared document or email. They should use a proven password storing system instead. Keep in mind that one common reason people have for skirting password security protocols has to do with their limited memory.

Instead of writing a password on a sticky note and hiding it in a desk drawer, it will be more effective if each user devises a password based on a phrase. For example, a member of your team could use a phrase such as “Every morning I check email while the coffee brews” and use the first letter of each word to make the password “emIcewtcb” with one uppercase letter. Including numbers and other characters helps make the password even more secure.

6. Perform Risk Assessments on a Regular Basis

Not knowing where your vulnerabilities are makes it much harder to protect yourself against attack. You won’t have a clear understanding of your organization’s security issues if you fail to conduct risk assessments on a regular basis.

Complacency is your enemy here. Your own IT team can perform the risk assessment, or you can work with more objective individuals by hiring an outside firm to take care of this task. 

7. Maintain a Layered Defense System

Have layered security protocols in place, so even if an attacker breaks through one layer, they still won’t be able to access the protected data, and your practice might be able to identify the attack before it’s too late. Just as you have multiple locking doors to protect your property, building and equipment, you should have many layers of defense against electronic intrusions. That way, even if a weakness appears in one aspect of your defense system, there will be redundant coverage.

So, in addition to using strong passwords and forcing workers to change them periodically, you can use physical security in the form of locked doors, security guards, and surveillance equipment. Antivirus software, a robust firewall, and whitelisting of approved applications all contribute to the overall security of your institution.

8. Have a Plan to Prevent (and Recover From) Data Breaches

In the unfortunate event of an attack, your practice needs to know what the next steps are. Having a plan in place will help you move forward after an attack. For example, your IT team should regularly review your healthcare cyber security protection to ensure you are always following the latest protocols.

This also means avoiding the practice of automatically allowing software updates before checking out any possible repercussions. And when you do assess an update, it’s best to try it out on a quarantined test computer to ensure a patch or update won’t negatively affect all the computers in your system.

To be ready for the aftermath of a successful intrusion, key members of your team should develop a plan for getting the system back up and running, confident that the cloud-based backup of your data will be clean and safe to use.

9. Install Better Software

Stress the importance of using software from a company that prioritizes cyber security in their software. They will update the software swiftly whenever a new threat has been identified. The surrounding applications used in your office must also be shored up.

High up on your to-do list, according to a report from Healthcare IT News, is to invest in a next-generation firewall to protect all data and your systems, and deploy the latest in anti-malware detection. Robust encryption is called for, and you might need to outsource some of your security information management.

Key Takeaway:

The fact that your healthcare organization has deployed a cloud-based solution for your medical software indicators that you already pay attention to emerging technology issues. Now it is time to take the necessary steps to shore up the sensitive information that you generate, store, and update for all of your patients.

  • Healthcare cyber security is one of the key issues that you and your staff must take great pains to address in order to stay in business.
  • News reports are filled with examples of criminal hackers that take over the computer systems of medical care providers, often locking information and demanding ransom to unlock the data.
  • Because you maintain patient data in the cloud, it’s essential that your organization follow industry best practices for cyber security.
  • Ongoing training of each of your staff members will help strengthen your cyber defenses.
  • Work with a healthcare software provider that has a demonstrated ability and commitment to updating its application on a regular basis.
  • Plan ahead about how your organization will react in the unfortunate event that your information does wind up getting breached.
Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Cybersecurity experts warn of ‘digital D-Day’ in healthcare 

Cybersecurity experts warn of ‘digital D-Day’ in healthcare  | IT Support and Hardware for Clinics | Scoop.it

After two global ransomware attacks highlighted the potential dangers of network disruptions in the healthcare environment, cybersecurity experts are warning that subsequent attacks could have a much more devastating impact on patient safety.

 

There is particular concern over the vulnerabilities of medical devices, nearly all of which are connected to the network in some way, where the potential for patient harm is enormous. Malware could weave its way through infusion pumps and disrupt medication dosages, or cyberterrorists could coordinate a physical attack with a shutdown of hospital EHRs across a city.

 

“We’re going to have our digital D-Day, our cyber D-Day, if you will, in medical, and there’s going to be patients that die,” Christian Dameff, M.D., an emergency room physician and clinical informatics fellow at the University of California San Diego Health, told McClatchy. “It’s going to be a big deal.”

 

Beyond the inherent risks in medical devices, widespread EHR disruptions mean patients will be diverted from emergency rooms and clinicians would be left to treat patients without critical patient information at their fingertips. After the UK’s hospital system was hit by the WannaCry attack in May, emergency physicians said the impact was “undeniably dramatic” and argued that digital security “simply hasn’t been an NHS priority.”

 

The same industry concerns exist in the U.S., according to a recent report by the Department of Health and Human Services Cybersecurity Task Force which called for a “unified effort” among public and private entities to address some of the industry’s most pressing concerns regarding staffing shortages and medical device insecurity.

 

“Some of these attacks are like ringing the dinner bell for adversaries,” Beau Woods, deputy director of the Cyber Statecraft Initiative at the Atlantic Council, told McClatchy. “Once they know they can and it’s that easy, at that point it becomes a race.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

Ransomware and electronic records access, healthcare's biggest threats

Ransomware and electronic records access, healthcare's biggest threats | IT Support and Hardware for Clinics | Scoop.it

Of the varied threats facing healthcare provider organizations today, both external and internal, what rises to the top? Some cybersecurity experts have solid opinions on that.

When it comes to external threats, ransomware is the most urgent said Mike Fumai, COO at AppGuard, a cybersecurity software company.

 

“The longer term and newer threat with ransomware is medical devices,” he said. “Already hackable, but no real economic model yet for adversaries to focus on. That can change quickly. For example, they can simply extend the ransomware model by denying medical device use until a ransom is paid. The complexity of the medical device supply chain, however, poses even more exotic ransom possibilities.”

 

If a provider organization cannot treat patients because it doesn’t have access to medical equipment, records, billing processes, scheduling or vital third-party services, the impact is immediate, pervasive, urgent and even life-threatening – far worse than HIPAA fines and other typical data breach consequences.

“Healthcare providers are not prepared for ransomware attacks,” Fumai said.

 

So what should healthcare providers do to better prepare? Implement system back-ups and conduct realistic exercises to be sure they work is one tactic.

 

“Continuously conduct realistic, simulated attacks on your employees and track them individually, and on your organization two to four times per year to seek and fix human weaknesses,” Fumai said. “Form at least one peer group within 30 days with signed letters of intent to learn how to better fight ransomware and to field-test and hype-test cyber products and services before deploying them.”

 

When it comes to internal threats, access to patient records rises to the top, said George Brostoff, co-founder and CEO of SensibleVision, a cybersecurity technology company.

“Twenty-seven hospital employees in New Jersey were suspended after they improperly looked at the files of actor George Clooney, who was being treated after a motorcycle accident,” Brostoff said. “All of them had access to the files from inside the system. External hacks get all the press, but the real security issues that affect hospitals every day come from inside the building.”

 

When very private information is leaked, it is very embarrassing and damaging to a healthcare organization’s image and destroys the trust it has built with its patients. The specific data in patient records allows the source of the leaked information to be tied to the organization at fault.

 

“Most important, these leaks violate federal HIPAA rules and other regulations, which can put accreditation at risk and also open up the risk of lawsuits,” Brostoff said.

To combat problems associated with internal access to patient records, the first step is getting rid of passwords to protect any data, Brostoff said.

 

“They just don’t work, and everyone acknowledges that – even the guy who came up with the ‘Change your password every month’ approach to security,” he said. “Following industry best practices such as secure authentication, encryption and proper access policies is the only way to protect data.”

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.
Scoop.it!

How to stop ransomware: It's really not that complicated

How to stop ransomware: It's really not that complicated | IT Support and Hardware for Clinics | Scoop.it

Ransomware. The word itself is scary enough, let alone the glimpse of just how damaging such attacks could be that the world saw in WannaCry and NotPetya during May and June. But cybersecurity experts counter that ransomware shouldn’t actually be so overwhelming to information security professionals -- if they adhere to simple best practices. 

For starters, backup files are crucial and those should be both encrypted and kept offline -- separate from the main network, according to Engin Kirda, professor of electrical and computer engineering and computer and information science at Northeastern University.

 

Lee Kim, HIMSS’ director of privacy and security said the real problem is that hospitals are often stuck running outdated, legacy systems. And even keeping pace with software patches is not always completely effective. Both NotPetya and WannaCry, for instance, leveraged vulnerabilities in these legacy systems.

In fact, Kim explained that when hospitals system must run these outdated systems, including those upon which medical devices are built, it’s necessary to make sure the ports of entry are as closed off as possible. 

 

“If an organization needs to run these systems, shelter the technology from the outside world and segment it from the network,” Lee said. “It’s always best practice to segment the network and not make it possible for one hacker to get in and pivot around your system.”

After patching, segmenting and software needs, Kim said that hospitals can increase defenses with pen testing, which actively scans the system or network for exploitable vulnerabilities.

“I can’t think of a better way to be prepared,” said Kim. “[Pen testing] should be done not just once in a blue moon, it needs to be done regularly. 

Hospitals should authorize the testing with a vendor or security employee with experience to ensure there are no disruptions due to high traffic. 

Risk assessments can also help reveal weaknesses and build defenses. 

 

“We want to make things more difficult for the attackers and reduce the volume of attacks,” she said.

Not surprisingly, the crux of the ransomware issue boils down to the biggest weakness to all networks: the user.

It’s a simple technique, hackers craft emails and trick users into action, Kirda said. “It’s just that some users don’t understand ransomware, and they end up doing things that allow a successful attack.”

 

So phishing training is critical, explained Kim. “It’s the adage of you’re only as strong as your weakest link. You can’t ignore teaching employees what to do and what not to do.”

Fortunately, there’s a lot that can be done with the human element. Naturally, employees should be trained to be cautious about opening attachments. “For an attack to be successful,” Kim said, “they just need a door or one hole to squeeze through.”

Some organizations are also labeling email as external, which can help employees determine the validity of an email sent supposedly from a member within the company. IT can add it to the bottom of every email in red. If an email is sent from outside it will push through the designated filter and notify the user it’s from an outside party.

 

Anti-phishing, user education and clearly marking emails as external or internal are basic blocking and tackling that can go a long way to thwarting attacks. Kim also recommended seeking outside help when you need it.

 

“Study up or hire someone experienced in cybersecurity,” Kim said. There are plenty of ethical hacking pointers available online, and “yet there are so many health organizations vulnerable to attacks. It’s really a twilight zone experience.” 

Ultimately, the issue lies with infosec professionals explaining why cybersecurity needs to be at the forefront of budget discussions and planning -- because it’s a safe bet that the attacks will keep on coming due to profitability. 

“Healthcare is low-hanging fruit,” Kim said. “That’s the unfortunate reality: the dragon is at the door.” 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

more...
No comment yet.