Hospitals are struggling to keep their sensitive data under lock and key.
In fact, nearly 90 percent of all healthcare organizations experienced at least one data breach within the past two years, according a May Poneman Institute study, and data breach costs are expected to hit $2.1 trillion globally by 2019.
Hospitals are hiring experienced security information pros to combat cyber criminals, but more can be done. Consider the 9 strategies below to intensify digital security efforts in your health system.
Hire professional hackers
The Mayo Clinic did just that a few years ago, hiring a team of security experts to hack everything from respirators to ultrasound machines. These so-called “white hat” hackers were thorough and ruthless, according to one of the participants. But the exercise worked, uncovering a host of security holes along with recommendations for fixes.
Make mobile devices harder to hack
The BYOD (Bring Your Own Device) movement is gaining momentum. But employee-owned devices open hospitals up to data security threats, such as device loss, use of unauthorized applications and password vulnerabilities.
Could your IT team lock or wipe data from employee phones, if needed? Review your mobile governance policies and find out what you can legally do to secure sensitive data on employee-owned devices.
Scrutinize Medical Device Security
Beyond mobile devices, any networked medical device (an MRI, for example) that receives and transmits data represents risk.
“The more devices you hook up, the greater chance you will connect to devices with malware in them,” says Susan Boisvert, R.N., Senior Risk Management Consultant, in Hospitals & Health Networks.
Ensure you have a thorough audit trail for the devices used in your system, and review and tighten your security requirements for medical device suppliers.
Increase employee awareness
Human error is a leading cause of healthcare data breaches.
Sixty-nine percent of surveyed healthcare organizations confirmed their greatest security concern is “negligent or careless” employees, says the Poneman Institute. And sixty-two percent of respondents claimed they were either unaware or unsure of how medical identity theft affects patients.
Train and educate employees about security basics. Change generic or default passwords. And monitor employee email and social media activities to ensure what happens in the hospital stays off of Facebook.
“Given the sensitive nature of data at hand and all the regulatory and compliance requirements within their industry, health leaders must incorporate better practices when it comes to protecting patient data,” writes Darren Leroux in HealthcareITNews.
Make identifying breaches a team effort
"See something, say something" is a popular mantra in airport security. Encouraging that same culture of responsibility in a hospital through education and incentives may help prevent a costly breach through early identification.
According to the Poneman Institute, almost half of healthcare organizations within the past two years discovered a breach through an employee, and nearly one-third of data breaches were revealed because of patient complaints.
Implement training on how to avoid phishing attacks
It is becoming increasingly difficult to spot an elaborately designed phishing email scam.
“Companies need to do a better job of training employees how to spot phishing attempts. This is the easiest point for thieves,” writes Thomas Lewis, CISSP, CISA, QSA in LBMC.
“It is well worth the time to implement training programs. The most effective method utilizes programs that are set up internally to mimic phishing attacks,” he explains.“This has been shown to be very effective at raising awareness of how to spot phishing attacks and train employees on how to avoid them.
Assess Your Visitor Management systems
A hospital’s greatest security threat may be its very own people – including employees, contractors, and visitors – who come and go regularly and frequently within a public facility.
“Daily visitors pose the biggest threat to organizations,” writes Kim Rahfaldt in Security Today.
Visitors “could have a police record, be on a terror watch list or be an angry spouse of a woman working on the 8th floor,” she says.
Visitor Management systems let you track when preapproved guests arrive, perform check-ins, and issue secure guest passes. A VM system can also flag potentially problematic visitors and deny them entry – such as a recently terminated, disgruntled employer or an individual who lacks authorized access to a particular part of the hospital.
Disable laptop cameras and microphones
This tip is perhaps the easiest (and cheapest) to implement.
First, use a piece of colored tape to conceal your computer’s webcam. Then, disable your microphone to prevent an audio hack. (Or, just connect an extra pair of earbuds with an attached microphone to your audio jack before snipping off the earbud/microphone portion, as Kellen Beck of Mashable suggests.)
Why? Smooth attackers can potentially gain access to your device via your webcam, writes David Geer in iboss. And cyber thieves may be listening to your private conversations from your device’s microphone.
Keeping your activity private will give you much needed peace of mind.
Talk the talk
Lastly, communicate beyond the four walls of your own hospital.
“Talking to counterparts at other health care organizations and information security industry groups about what they are seeing as far as attacks, and also protocols they have tried which worked and didn’t work is vital to planning for the future and knowing what types of attacks may be coming,” writes Matthew Chambers, CIO in Scrubbing In.
“There is no perfect system or program to prevent every attack by the guys in black hats. But a comprehensive approach to information security can go a long way in keeping the most crucial data – patient information – out of their hands,” he adds.
Hopefully adopting at least one of these tips will keep “the guys in black hats” far, far away.