The role of technology in healthcare and patient access to healthcare data will continue to increase in prevalence in 2020. The rise in ransomware attacks, HIPAA enforcement, and the latest PCI standards for credit/debit card handling make it more crucial than ever to protect sensitive financial and health data. Forward-thinking healthcare organizations will do well to prioritize creating and executing a healthcare IT security strategy to protect their organization and their patients in the year ahead. We spoke with several healthcare data security experts we trust to get their top data security tips for healthcare organizations.
The Data Security Experts
Kevin Goodman, Managing Director at BlueBridge Networks: We selected BlueBridge to host our PCG and Data Conversion servers and associated security infrastructure due to their extensive experience and reputation with hospitals and healthcare entities.
Jeff Keiser, President at Keiser Computers: Keiser Computer’s Drs Enterprise is a key integrator of practice management systems with 22 years of experience providing security guidance to a variety of healthcare clients.
Gary Pritts, Founder and President at Eagle Consulting Partners: Eagle Consulting Partners is a HiTrust CSF certified consulting firm that has helped healthcare organizations achieve better quality, revenue, and care through consulting, compliance, IT, and management-related expertise.
Leonard Hamer, CEO at Physician Select Management: Physician Select Management is a HiTrust CSF certified eClinicalWorks SaaS implementation company and records hosting company with more than 20 years of experience.
All four experts agree that auditing your current security measures, implementing multi-layer defenses against data breaches, training your staff on the importance of protecting PHI (Protected Health Information), and avoiding ransomware attacks are top security priorities for the year ahead.
The foundation of success in achieving your security resolutions will be developing a strong partnership with an IT vendor who understands what’s at stake and specializes in healthcare clients. What follows are some of the experts’ specific suggestions:
Audit your HIPAA Compliance
A thorough risk assessment is one of the best investments you can make to protect your healthcare organization. A broad assessment will take a look at the gaps and controls in your security coverage. Although HIPAA regulations have been in place since 1996, their scope has continually evolved, and the regulations are becoming increasingly enforceable. A study by HIPAAJournal.com found that 2018 was a record year for HIPAA enforcement and that the trend continued in 2019. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) ramped up enforcement related to patient access rights, egregious cases of non-compliance, and organizations with a culture of noncompliance (i.e. healthcare providers that don’t conduct comprehensive risk analyses, organizations with poor risk management practices, and those lacking HIPAA policies and procedures, etc.).
What will the coming year bring? In 2020, the OCR will focus on ensuring healthcare organizations have “reasonably appropriate” protections in place to secure patient PHI and to prevent a healthcare data breach. Primary areas of concern in 2020 include patient access to medical information, cyber security, business associate agreements, and risk analysis.
Key areas to focus on improving include:
- Having your IT vendor ensure that all devices with PHI have multi-factor authentication, IDS/IPS auditing and logging, and anti-virus protection
- Restricting non-critical access to PHI and implementing role-based access for your staff members
- Implementing physical security measures such as cameras, alarms, and locks with unique access for each employee
- Documenting written security policies and procedures to review periodically with both new and existing staff
- Completing regular training and self-audits in which you analyze your privacy and security practices
- Vetting your vendors and completing Business Associate Agreements to ensure there are no security gaps in their practices before you share PHI with them
- Regular data backups on a third-party server
Implement Multi-Layer Defense to Stay HIPAA and PCI Compliant and Prevent Ransomware Attacks
All security experts we spoke with were concerned by the rampant ransomware attacks effecting healthcare organizations. In 2019, the U.S. was hit by an unprecedented barrage of ransomware attacks with healthcare being one of the hardest-hit industries. At least 764 healthcare practices (large and small) were hit by a ransomware attack that kept them from accessing critical patient records and encrypted their backup systems. In some cases, these attacks caused the facilities to pay to regain access to their encrypted systems, temporarily stop accepting patients, and completely lose access to their data for days or weeks.
To protect your organization’s data experts suggest:
- Ensuring you have a virtual private network (VPN) and endpoint protection that includes a high-end router, second-generation firewall, and a DNS filter that prevents computers on your network from accessing unknown websites. These measures will not only help prevent ransomware attacks and improve HIPAA compliance, but it will also help your practice stay in compliance with PCI DSS standards.
- Having a strong data recovery plan. This means recognizing that there is a difference between a data back up and true data recovery capability. Often practices think they are covered, only to find out that the attackers have scrambled their data backup and they lose data or are unable to restore the data for days, even weeks.
- Have 2-factor authentication for logins to all programs such as your EHR and billing software. An example of this is requiring users to enter both a password and a cellphone code to log in.
Invest in Cybersecurity Training
Education is your best defense against security threats. Whether you are transitioning systems, communicating with patients, or simply handling day-to-day administrative tasks, security vulnerabilities present themselves frequently. Unfortunately, it only takes something as simple as clicking on a phishing email, failing to notice suspicious activity, or being unknowingly careless with sensitive data to put your facility at risk for a serious data breach. That is why investing in “cyber hygiene training” for your clinicians and staff is one of the most worthwhile investments you can make this year. You probably don’t question whether your machines need an electronic firewall. Consider your staff your “human firewall,” and ensure they are well-equipped to protect your PHI.
A few things to look for in a training system:
- Best-in-breed security training programs will go beyond training into testing. This means they will simulate attacks on a weekly basis and leadership can receive reports on who opens the emails. The experts we spoke with said that this rigorous level of training and testing can reduce risky behavior by 80-90%
- Your security training program should address common security threats and how to avoid them:
- Gift Card Scheme: attempting to steal money by asking an employee via email to purchase a gift card from an email that looks like the employee’s boss’s email.
- Payroll Divergence: attempting to change direct deposit information by hacking an employee’s email and sending updated direct deposit information to HR.
- Big Ticket Requests: attempting to convince someone to transfer large sums of money by impersonating vendors.
- Since security threats are evolving, training should go beyond a one-session mindset. Our experts suggest frequent in-services are important to equip your staff with the information they need to avoid security vulnerabilities and outright attacks.
Not sure where to start? We asked the experts for their tips for getting started:
Compliance Audit and Multi-Layer Defense
Fortunately, there are many resources available to help your organization become more HIPAA/PCI compliant and prevent ransomware attacks. We suggest working with a security partner such as BlueBridge Networks or Eagle Consulting to help you audit your compliance and implement a multi-layer defense system. Most likely your local IT resource will not be qualified in this specific specialty, but may be able to recommend a resource. Practices should seek a company with extensive experience and reputation with hospitals and healthcare organizations, and be sure to speak with their reference practices. Additionally, always ask for a sample report for a security audit to ensure the audit looks not only at security controls but also at business and insurance implications at your facility.
The experts we spoke with say that there are many security training solutions ranging from free resources to high-end solutions. They suggest HIPAASecureNow.com, Proofpoint, and KnowBe4 for HIPAA compliance auditing and training resources. They rely on these tools for their clients because they have up-to-date, thorough, easy-to-implement resources to train your entire staff. Whether these, or similar tools, ongoing and up-to-date training on relevant healthcare topics is critical.
Healthcare IT security experts agree that auditing your current security measures, implementing multi-layer defenses against data breaches, and training your staff on identifying and preventing data breaches are the best things you can do to protect your healthcare facility and the patients you serve. Data security can be overwhelming, but working with an experienced IT vendor with healthcare expertise will help simplify the process and help protect your organization.