October is National Cybersecurity Awareness Month. With that in mind, eFax Corporate recently co-hosted a webinar with IT provider Entegration to review the Department of Health & Human Services’ new voluntary cybersecurity guidance.
Leading the discussion in this webinar were Art Gross, CEO of the healthcare-focused IT company Entegration, and Brad Spannbauer, Consensus’s senior director of product management and the company’s HIPAA privacy and compliance officer.
Analyzing the HHS 10 Cybersecurity Practice Recommendations
These two HIPAA experts delved into the details of the 10 cybersecurity suggestions that HHS offers in its multi-volume 2018 publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.”
Here is a brief overview of those HHS suggestions, and some of the additional cybersecurity insights Gross and Spannbauer offered in the webinar.
- Email protectionAs Gross pointed out, HHS places email protection at the top of its list of cybersecurity recommendations because email remains the top tool cybercriminals use to gain access to healthcare organizations’ networks and data.The HHS’s email-readiness recommendation includes taking both technological measures—for example, using only business-class email programs and encrypting all messages—as well as educating and training staff on safe email practices.
- Endpoint protectionHHS advises making sure that all endpoint devices that staff uses to access ePHI (including desktops, smart phones, tablets, laptops) have antivirus protection and encryption, and that these cybersecurity applications are always up to date. They also suggest using multifactor authentication on all of these devices.Gross said he believes addressing just these two HHS suggestions will go a long way toward reducing the likelihood of a cybercriminal being able to successfully attack your organization’s network.
- Access managementThis suggestion relates to how employees are able to access ePHI and other corporate data and how that access is monitored and recorded. It involves setting rules to make sure each employee is using unique identifiers to access company data, making sure the organization is limiting the number of shared accounts, and making sure each employee has just the right amount of access—and no more.Bonus tip: Spannbauer suggested conducting regular internal audits to review your access management policies. He also advised developing a process for immediately terminating all access to an employee who leaves your company.
- Data protection and loss preventionThe HSS recommends classifying all company data, in all places it resides. This includes data on company computers, in-house servers, on file-sharing apps, saved as emails or texts on mobile devices, in cloud storage, etc.Classifications might include ePHI, proprietary company data (but not patient-specific), and other categories.After you have categorized your data, the HHS recommends determining what each classification means, how you will want your staff to handle it, and then training your employees on the steps you expect them to take when dealing with each type of company data.Another HHS recommendation here is to destroy all media that contains sensitive data when you are ready to retire that hardware. When your organization is ready to replace a desktop computer with a new one, for example, make sure that old computer is physically destroyed so that no one can ever access any sensitive data on it.Bonus tip: Spannbauer noted that text messages containing ePHI should never be sent via SMS. They should be sent only through a secure messaging system from your organization’s patient portal.
- Asset managementIn addition to taking inventory of all your practice’s ePHI data, HHS recommends also taking inventory of all IT assets: computers, mobile devices, printers, copiers, ultrasound machines, etc.This, they argue, is the only way you can monitor and manage the data on those devices, and make sure that data is secure and that your organization is complying with HIPAA.Bonus tip: As Gross noted, many medical practices forget that their equipment (e.g., digital x-ray machines and even standard multifunction printers) contain ePHI on their hard drives. So, these devices need to be secured during use, and their data needs to be wiped when you’re discarding them.
- Network managementThe key takeaway here is that HHS recommends segmenting your practice’s digital networks based on use. They suggest dividing networks, for example, so your patients and their guests aren’t accessing the same WiFi system that your employees are using.Another example would be when your practice connects vendor equipment to a network. If a vendor owns a piece of equipment your practice uses for your normal operations—say, a blood analysis machine that’s kept at your facility—you’ll need to make sure that equipment’s network access is isolated and not part of your broader system. That way, if the machine’s network is breached, the attacker can’t get to the rest of your network data.
- Vulnerability managementHHS warns that attackers exploit out-of-date operating systems, software, and other digital tools to gain access to healthcare organizations’ networks. One of their recommendations, therefore, is to perform regular vulnerability scans—to find which if any applications have missed security patches, which operating systems might be out of date, etc.This also applies to your EHR and other practice-management systems. These need to be updated regularly, because they get security updates and patches as well.Pulling this all together, this is why it’s so important for IT to inventory all assets, to do regular vulnerability scans of them, to segment hardware onto their own networks, etc.As Gross explains, consider what could happen if a small practice were operating a digital x-ray machine running Windows XP and that hadn’t been updated in some time. All it would take is for this one machine to have one security vulnerability. A sophisticated hacker could use that weakness to penetrate the practice’s network, and if the machine weren’t isolated, the attacker could then move from the x-ray machine to other areas of the network and possibly gain access to all sorts of ePHI.Spannbauer highlighted another common scenario that could lead to problems. Imagine a medical practice moving to a new system or application—a new EHR, for example—but keeping the old one running on an in-house machine, because it might contain some historical data. That app can become forgotten, running on a server in a closet somewhere. If the app or its operating system fall out of date or miss security patches, it can become an easy entry point for a cybercriminal.
- Incident responseHHS recommends establishing a response plan before an actual data breach. If an organization fails to do so, and they’re attacked, they’re not going to be doing their best thinking during the panic.An incident response plan, as the HHS broadly defines it, should include a comprehensive approach to dealing with the unthinkable: a cyberattack that leaves a healthcare practice completely unable to access its digital infrastructure.This includes answering questions such as:What will we do if we suffer a ransomware attack and can’t access our ePHI?What happens if a cyberattack knocks out our phone system? How will we stay in communication with staff and patients and maintain operations?Should we investigate cyber insurance?Bonus tip: Spannbauer suggested printing out all of the details of your company’s incident response plan and making sure the right people have those physical copies. If an attack makes your digital network inaccessible, you won’t want your entire plan locked away in a digital file you can’t access.
- Medical device securityHHS argues that healthcare practices must take steps to secure all devices on their networks—not only computers but also the many medical devices their practices uses every day, including EKGs, blood analysis machines, and digital x-rays. Because these devices could all be on your practice’s digital network, they all create a potential entry point for a clever hacker.So, HHS recommends keeping all of these devices up to date. That means making sure these devices are all on your IT team’s radar, and that the team is applying the same patch management to them that they do for keeping your desktop computers secure.
- Cybersecurity policies
Finally, HHS states that health organizations need internal governance policies to help their staff protect the company against cybersecurity threats.
This means, for example, developing an Acceptable Use policy and distributing it across your organization. Such a policy would explain what you will allow your employees to do when it comes to data and digital security, what you require of them, and what you won’t allow them to do.
For example:
Will you allow your staff to use their personal mobile devices to access or share ePHI? If so, will you first deploy a system for monitoring and encrypting these devices?
What are your policies on remote use of ePHI?
Where will you draw lines in terms of what your staff can and cannot discuss on social media regarding your organization?
This will require not only drafting cybersecurity polices but also training your employees to follow them.
As Gross pointed out, this is one of the most important HHS recommendations because employee mistakes are among the most common reasons for cybersecurity breaches in the healthcare industry.
Other Key Cybersecurity Topics Covered in the Webinar
In addition to this deep-dive review of HHS’s 10 cybersecurity recommendations, Gross and Spannbauer also addressed several other cybersecurity topics relevant to every healthcare entity. Other discussion points you’ll find in this webinar include:
- The average cost of a data breach to a small or medium-sized healthcare entity
- Several key reasons that healthcare data remains a favorite target of cybercriminals
- A discussion of the impact of a cybersecurity attack on HIPAA penalties and remediation
- The HHS’s evolving views on ransomware—and what it means for your practice
To watch the full webinar, view the on-demand version here.
