When health care providers think of viruses, it's rarely in a digital context. That doesn't make computer viruses any less harmful, however, particularly given the rise of cyber-attacks on health care systems. And unfortunately, it's no longer "if" your system will suffer an attack, but "when."
Some 94 percent of medical institutions said their organizations had been victims of a cyber-attack, according to the Ponemon Institute, and nearly half have experienced multiple attacks.
A 2015 report by TrapX, a cybersecurity firm, revealed three instances where hospital equipment—a blood gas analyzer, picture archive and communications system, and an X-ray system—was the conduit through which hackers infected hospital networks with malware. (So much for the Internet of Things!)
One particularly damaging strain of malware, ransomware, lets hackers gain access to data, encrypt it, and then demand a ransom to get the decryption key.
AHA reports on one hospital that was hit with a demand for 9,000 in Bitcoin, a digital currency, the equivalent to more than $3 million. The facility eventually paid 40 Bitcoin ($17,000) to regain its system.
Of course, exploitation can have disastrous effects far beyond demands for money.
Not only can it put HIPAA-protected personally identifiable information at risk, but according to Sophos, a security company, electronic medical records could be tampered with, work orders changed, medicine inventories altered, and climate control systems for biological material storage reset.
Even though there is no way to safeguard against cyber-attacks 100 percent of the time, hospitals can take proactive steps to make such occurrences less likely.
In its white paper, Top 10 Tips for Cybersecurity in Health Care (PDF), HealthIT.gov recommends the following:
1. Establish a Security Culture
"Researchers who study the psychology and sociology of Information Technology (IT) users have demonstrated time and again how very difficult it is to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with daily," the white paper said.
Frequent, ongoing education and training is the remedy, and the hospital must instill a security culture among staff to the point that it becomes as second nature as maintaining sanitary practices.
2. Protect Mobile Devices
Mobile devices have opened a world of opportunity to untether EHRs from the desktop, but they also present threats to information privacy and security. As such, employees must take care to prevent data loss, either as a result of unauthorized viewing, unsecured wireless transmission, or stolen devices.
3. Maintain Good Computer Habits
IT staff must be careful to configure and maintain computer hardware and software to the degree that it's safe from harm. That includes removing any software that is not mission-critical, updating software to the latest versions, and performing routine maintenance.
4. Use a Firewall
Unless a facility disconnects it EHR system from the Internet entirely, there should be a firewall surrounding it to protect against intrusions and threats from outside sources.
5. Install and Maintain Anti-virus Software
Just as a firewall protects a network from intrusion, anti-virus software detects and destroys malware. To put it in medical terms, the anti-virus software can be thought of as infection control while the firewall has the role of disease prevention.
6. Plan for the Unexpected
Eventually, the unexpected will happen, whether it comes in the form of a cyber attack or natural disaster. Two ways to protect against loss is by creating backups and having a recovery plan.
Creating backups should be a daily or weekly routine, which hospitals can accomplish using on-premise solutions like removable hard drives (which it stores in a safe or vault) or offsite via cloud-based platforms like Carbonite.
Recovery planning is necessary so that when an emergency occurs, data restoration can take place quicker and more efficiently, following a prescribed process.
7. Control Access to Protected Health Information
Not every staff member needs the same level of access to sensitive information as another so set permissions to restrict it. HealthIT.gov suggests having an “access control system” in place to assign user rights and permissions.
8. Use Strong Passwords and Change Them Regularly
Passwords are the first line of defense in preventing unauthorized access, yet employees often pay password strength little heed. While a strong password won't keep a hacker from gaining access, it could slow the person down long enough to discourage further attempts.
Strong passwords consist of at least eight characters (the longer, the better) and a combination of upper case and lower case letters, one number, and at least one special character, such as a punctuation mark.
9. Limit Network Access
The increase in cyber-attacks means that the days of BYOD (bring your own device) to work are over. If not, it certainly means the hospital doesn’t let personal devices access its network. Also, don't allow staff to download software without explicit permission and oversight by IT staff.
HealthIT.gov has a downloadable PDF checklist that covers all aspects of network access.
10. Control Physical Access
"The single most common way that electronic health information is compromised is through the loss of devices, whether this happens accidentally or through theft," the white paper said.
These include portable storage media (e.g., thumb or flash drives, CDs, or DVDs), laptops, handhelds, desktop computers, and even hard drives taken out of machines, lost and stolen backup tapes, and entire network servers.
Securing devices physically is a matter of grave importance. That includes storing them in locked rooms, managing physical keys, and restricting the staff’s ability to remove devices from a secure area.
While there is no way to keep cyber-attacks from happening, following these ten steps will make your network safer and help protect medical records and other sensitive information.
And if there is one other recommendation hospitals should heed, it’s to take action now and not wait until after a security breach occurs.
Recommendations from SCP Security Expert
Adding to the above recommendations, Schumacher’s VP of Network Operations and Infrastructure, Sean Peltier, provided this advice:
“A tiered approach is a must for any technologist focused on securing a given environment,” he said. “Long gone are the days where one security point product or appliance will meet all of the different security challenges hospitals are exposed to.”
Peltier recommended that hospitals deploy “multi-layer firewalls or spam filters at the network edge” and that multiple vendors be used.
“That way, if a vulnerability is found in the code of manufacturer ‘X,’ it becomes less likely that same vulnerability will exist in a disparate vendor,” he said.
Peltier also warned that, while security has bubbled up on the priority lists for technology departments, end-user best practices and compliance to security policies remains paramount to maintaining a sound security posture.
"It does little good for your security department to enforce complex passwords, frequent password rotations, or multi-factor authentication if the end-user who has legitimately been given access to sensitive data shares their credentials," he said.