Best Practices for Healthcare Cybersecurity
The healthcare industry is an attractive target for cybercrime. With strict HIPAA standards, cybercriminals know that healthcare organizations are more likely to pay ransoms in return for patient data. Stolen patient data is also very valuable on the black market where it’s used for Medicare fraud and other forms of insurance fraud.
According to Radware, healthcare was the second most attacked industry with an average attack costing $1.4 million in damages. The good news is that most healthcare organizations have some kind of an emergency response plan in place to address cybersecurity incidents.
The Department of Health and Human Services (HHS) recently released a list of voluntary cybersecurity best practices developed in conjunction with the healthcare industry. The Health Industry Cybersecurity Practices (HICP) report fulfills a mandate set forth by the Cybersecurity Act of 2015 Section 405(d) to develop practical guidelines.
Let’s take a closer look at these guidelines and other best practices for the healthcare industry.
What Is a Typical Attack?
There are many different types of cybersecurity attacks, including ransomware, malware, viruses and botnets, designed to steal data, ransom data or take down entire computer systems or networks. These are major and growing risks to healthcare organizations of any size.
The HICP identifies five top cybersecurity threats to healthcare organizations:
Email phishing: Email phishing occurs when criminals send legitimate-looking emails that ask for sensitive information, such as passwords or banking details.
Ransomware: Ransomware encrypts a user’s files, making them inaccessible and demands a ransom to decrypt them. In some cases, criminals may even threaten to publish sensitive information without a ransom payment.
Loss or theft of equipment or data: Stolen laptops, smartphones or other equipment that doesn’t have data encryption creates a security risk since criminals could access all of the information on the equipment.
Accidental or intentional data loss: Accidentally or intentionally deleting or destroying data on a computer system or network can result in permanent data loss.
Attack against medical devices: Medical devices, such as pacemakers and insulin pumps, may be susceptible to cyber attacks when they are connected to the Internet.
The HICP’s guidelines are largely focused on addressing these forms of attack given their prevalence within the healthcare industry, but of course, there are many other attack vectors that healthcare organizations should consider when developing policies.
NIST Cybersecurity Framework
The HICP’s cybersecurity best practices incorporate the popular NIST Cybersecurity Framework — a policy framework designed to help organizations across all industries address cybersecurity risks. It’s important to understand how this framework works before diving into the HICP’s list of healthcare best practices.
Download our free cybersecurity worksheet to incorporate these best practices.
The framework recommends dividing cybersecurity practices into five categories:
Identify: Develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
Protect: Develop and implement the appropriate safeguards to ensure the delivery of critical infrastructure services.
Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
Respond: Develop and implement the appropriate activities to take action regarding a detected cybersecurity event.
Recover: Develop and implement the appropriate activities to maintain plans to resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.
In 2017, the NIST published the Cybersecurity Excellence Builder, which translates the framework into a simpler self-assessment. This approach is best for smaller organizations that can’t afford the high cost of implementing the full NIST Cybersecurity Framework.
Best Practices in Healthcare
The NICP identified 10 best practices to mitigate common threats across the healthcare sector. When it comes to implementing these best practices, the NICP offers advice catered to both small organizations and medium-to-large sized organizations.
The core best practices include:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Asset management
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
In the NICP’s guidance, each best practice is tied to a NIST Framework reference. For example, Email System Configuration falls under the Identify section of the NIST Framework and, specifically, PR.DS-2, PR.IP-1 and PR.AC-7. Healthcare organizations can reference the relevant NIST Framework item to see how it fits into the bigger picture.
The NICP guidelines impacting small healthcare organizations include:
The implementation guides liked above provide a more detailed guide to implementing these best practices within an organization, as well as provide more comprehensive guidance for medium-to-large sized healthcare organizations with greater risk.
These best practices are a great starting point for healthcare organizations to take action, but they are not designed to be an exhaustive list of actions. For instance, many industry experts have pointed out that mobile security, insider attacks and encryption are either left out or inadequately covered in the guidelines. These areas may require additional technology, employee training and other measures to counteract.
Deploying Cybersecurity Solutions
Cybersecurity technology solutions can help healthcare organizations meet and exceed these guidelines by addressing several different areas of cybersecurity — from servers to employees.
Don’t forget to download our free cybersecurity worksheet to incorporate these best practices.
The first step is to protect against data loss since that’s the most costly component of a cybersecurity attack. Encrypted cloud storage, automated backups and email archiving are great strategies for both protecting data against accidental loss and preserving data in the event of a cyber attack (e.g. a ransomware attack).
Active network protection can help prevent attacks at the source. For example, web content filtering and malware protection services can prevent harmful emails from arriving in employee inboxes. Firewalls and 24/7 monitoring services also ensure that attacks on servers are neutralized before they cause network issues or intrusions.
The last line of defense is often anti-virus, anti-malware, anti-phishing, VPNs and password managers, which can help employees avoid problems on their own machines and on external networks. In addition, using password managers can prevent a single compromised user from impacting an entire network by forcing them to use different passwords everywhere.
Jungle Disk provides an integrated security suite that is designed for businesses with two to 250 employees. In addition to solutions targeting these areas, the company provides HIPAA compliant data storage — providing the unique security required by law for healthcare companies.
The Bottom Line
The HICP guidelines provide a great starting point for cybersecurity at healthcare organizations. By adhering to these best practices, organizations can ensure that they are protected from many of the most common threats — but not all threats. Critics point out that there are several gaps in the practices.
The good news is that new technologies are making it easier and more affordable than ever to improve cybersecurity. From password management to active network protection, many attacks can be thwarted before they reach an employee.
Jungle Disk provides an integrated security suite that’s designed for small healthcare organizations with two to 250 employees. Request a demo to see how you can improve your cybersecurity without breaking the bank.