5 Best Practices for Maximizing Health IT Security

Hospitals, their devices, and their data are prime targets for hackers, particularly when the tactic is ransomware.

Guest Commentary, Guest Commentary

May 3, 2017

4 Min Read
Trent Hein

Nearly every industry is susceptible to the dangers of cybercrime, however hospitals and healthcare organizations face the most risk when it comes to malicious hackers. With complex infrastructure and a variety of devices in use, healthcare organizations provide an abundance of entry and pivot points for cybercriminals to exploit.

Additionally, according to the Ponemon Institute, patient-generated health data is selling for more money than any other kind of information on the black market, at $363 per record on average.

Of all the attacks on hospitals and health organizations over the past few years, ransomware has emerged as the most feared hacking technique. In some cases, ransomware allows hackers to block access to data until a sum of money is paid, and according to recent research, 88% of all ransomware attacks hit hospitals. Last March, 3 U.S. hospitals were hit with ransomware attacks in just one week, and one Los Angeles-based hospital was forced to pay hackers $17,000 just to regain access to its electronic health records.

To combat the ubiquity of cybercrime and ransomware attacks in particular, hospitals and healthcare organizations need to keep up with the evolving threat landscape and recognize the most common areas of cybersecurity risk. Below are five tactical tips healthcare organizations should implement to maximize their security efforts and achieve compliance:

1. Establish a security plan. With the healthcare IT landscape changing so rapidly, it’s essential that healthcare organizations continually plan for the future. To best leverage your available resources and improve upon your existing security measures, establish a formal security management plan that outlines key factors like where your sensitive data is being stored, how you’ll secure your assets, and what combination of processes, controls, tools, people, and procedures will be used to stay secure. Make sure to update this plan annually, and include information that will cover your cybersecurity needs for the next three years.

2. Prioritize offline storage. In an attempt to manage the growing costs associated with healthcare data requirements, many healthcare organizations have tried to reduce their offline storage by using large file shares on a RAID array. However this practice can introduce serious risks to data in the event of a cybersecurity incident. In an industry where lives are literally at stake, healthcare organizations can’t afford not to have an offline copy of anything/everything that’s of value. Leverage the cloud to replicate and store your data, and make sure that your replica is kept offline and inaccessible to hackers at all times.

3. Secure biomedical devices. Biomedical devices such as MRIs are often overlooked when it comes to cybersecurity, however these devices are usually connected to the Internet, making them easy targets for hackers if they’re left unprotected. Talk to your biomedical device vendors to ensure their products meet HIPAA compliance and insist that they make any necessary changes if any insecurities remain. Most providers don’t realize it, but vendors are required by law to help you maintain a secure environment, even if their products are already FDA-approved.

4. Educate your users. There’s a lot healthcare organizations can do with technology to improve their cybersecurity, however even the best software and tools can’t prevent inadvertent user errors from causing serious breaches. Make sure every user in your system is aware of the risks they can introduce, and outline basic security protocols for laptops and mobile devices to keep security gaps at bay. For instance, make sure employees are using strong passwords and don’t use the same password across multiple accounts. Enforce Shadow IT policies so employees aren’t accessing healthcare systems and/or data via undocumented and/or unapproved devices. Additionally, educate your employees on how to handle a situation if/when they think a cybersecurity incident has occurred.

5. Train your patients. Many consumers are starting to ask for control over their own health data, rather than relying on healthcare providers to safeguard it. The motives behind this consumer trend are certainly understandable, however a healthcare organization’s cybersecurity is only as strong as its weakest link, and all it takes is one consumer -- even a well-intentioned one -- to cause that chain to break. In addition to educating your employees, take the time to train your patients on cybersecurity best practices and make sure they understand their critical role in the security of their personal health data.

When it comes to cybersecurity, hospitals and healthcare organizations don’t have it easy. Most are working with massive amounts of unstructured patient health data that’s difficult to manage and therefore easy for hackers to access, and many are too resource-strapped to keep up with proactive cybersecurity efforts. However with patient lives at stake, healthcare organizations need 100% security at all times; a “B” grade won’t suffice. Leverage basic cybersecurity best practices to keep your organization, your data, and your patients safe, and consider implementing cloud-based technologies to help share the burden of maintaining constant security and data accessibility.

Trent R. Hein is co-founder and senior vice president of professional services for AppliedTrust, a security, infrastructure and compliance services company.  

About the Author

Guest Commentary

Guest Commentary

The InformationWeek community brings together IT practitioners and industry experts with IT advice, education, and opinions. We strive to highlight technology executives and subject matter experts and use their knowledge and experiences to help our audience of IT professionals in a meaningful way. We publish Guest Commentaries from IT practitioners, industry analysts, technology evangelists, and researchers in the field. We are focusing on four main topics: cloud computing; DevOps; data and analytics; and IT leadership and career development. We aim to offer objective, practical advice to our audience on those topics from people who have deep experience in these topics and know the ropes. Guest Commentaries must be vendor neutral. We don't publish articles that promote the writer's company or product.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights