Cybersecurity: 5 ways to keep your EHR data as safe as your patients

March 21, 2017 |  Security, Transformative Technology

Hand touching online network security  button and cloud, connection and contact concept

The hacking business has hit retail establishments, financial institutions, and now, more than ever, healthcare. It can get overwhelming when you see headlines of healthcare organizations getting attacked with ransomware, malware, viruses, loss of patient records, and all sorts of cybersecurity breaches.

The potential solutions and vendor options to protect your organization can cost a lot of money and can be overwhelmingly technical. What can you do? While it’s not possible to have absolutely perfect cybersecurity, here are 5 simple ways that can help you keep patient data safe.

1. Keep Calm and Assess the Risk.

Don’t overreact. Doing an internal risk assessment is an essential step in looking at the likelihood and impact of potential threats. Identify what your organization has that’s valuable, vulnerable, and exposed. Make a list and then look at what probability or likelihood each has to an attack. If something were to happen, assess what financial, social, and economic impact it may have. For each risk area you identify, determine if you will mitigate (buy a control), transfer (buy cyber insurance for the gap), avoid (remove the vulnerability), or accept (perhaps it’s not cost effective to prevent).

2. Watch Out for the Insider Threat.

Unfortunately, the most common threat to keeping your patient data safe typically comes from inside your organization. This comes from things like curiosity, greed, maliciousness, or just plain human error. Don’t treat all employees as suspects though. Consider rotating jobs, make sure you handle bad situations well, and conduct regular security trainings.

3. Remember the Basics.

When looking at where cybersecurity breaches can happen, don’t forget the simple things that can cause a big problem. Avoid using default or easy-to-guess usernames, passwords, and pins. Be on the alert for phishing email scams and clicking unrecognized URLs or email attachments. Conduct ongoing staff trainings for how to handle protected health information (PHI). Establish device management processes to keep track of computers that could get lost or stolen, and perform regular penetration tests of your physical and information security. Look at bringing in outside organizations to help test every year as well.

4. Increase Security in the Password and Printer Trouble Spots.

Managing identity and printing are two major security hotspots that often can be protected with the help of third party vendors (eg. Forward Advantage, Imprivata, SecureAuth). Use multi-factor authentication for sign on to go beyond just the username and password, and include things like fingerprint scanning and proximity badges. Turn the printing threat into a protected process with encryption on the digital transmission accompanied by a badge scanner on the printer itself, preventing papers from being stolen or lost.

5. Grow Your Knowledge.

With new cybersecurity threats coming out all the time, it’s important to stay up-to-date on information that’s relevant to you and your organization. Follow industry news and tap into Information Security at MEDITECH (customer login required) for useful resources like monthly newsletters, important alerts, detailed advisories, and FAQs. For increased information gathering, consider establishing a Cyber Security Expert. Having at least one person that thinks only about information security is invaluable. They learn to balance risk and reward, and view each project from the security and data privacy perspective. Cyber Security Experts also provide a direct link to technology and security companies, helping stay on top of your organization’s security, privacy, and patient safety priorities.

Cybersecurity in healthcare can seem daunting at times, but doing the preventative work up front could make a world of difference. Understand your organization and incorporate a layered defense by looking at your people, processes, and technology. Keep calm and assess the risk. 

Written by Justin Armstrong, Security Architect, MEDITECH

Justin Armstrong is responsible for the security of MEDITECH applications and platforms, including coordinating critical updates to MEDITECH software and communicating with customers when questions arise about MEDITECH’s security stance. Justin stays up to date on evolving security standards and regulations, best practices, threats, and software vulnerabilities by remaining active in the security community inside and outside of MEDITECH. He is a Certified Information Systems Security Professional (CISSP) and a proud member of the FBI’s InfraGard program as well as (ISC)2, ISSA, the Cyber Health Working Group (CHWG), OWASP, EHRA Privacy and Security Workgroup, and the NH-ISAC. Justin earned a Bachelor of Science in Physics and a Bachelor of Arts in Mathematics from the University of Massachusetts at Amherst. He obtained his Masters in Information Security Leadership at Brandeis University.
Find me on: