Cyber Security Tips
Policies & Procedures
Written by: Richard Kusserow on October 4, 2017
Growing Health Care Compliance Issues in Cyber Security
Cyber security is a growing compliance issue, and has enormous implications for the health care sector. Cyber security incidents have increased to dramatic levels over the last two years, and are likely averaging one attack a day. Health care sector data breaches alone are up 40 percent since 2015. The most disturbing trend in cyber attacks involves ransomware. Recently, the largest one involved what is known as “WannaCry,” hitting countries around the world. As with other cyber attacks, ransomware spreads through phishing attacks. Phishing involves tricking email recipients into installing malicious software that encrypts the user’s system, causing the user to lose access to his or her documents. The user is then prompted to pay a ransom in order to have the system restored.
For health care providers, concern involves not only business, but also the risk of breaches of protected health information (PHI). OCR data indicates more than 41 million people have had their PHI compromised in HIPAA privacy and security breaches. Data further shows a major increase in breaches resulting from hackers in 2016. Recent studies have reported that healthcare now ranks as the second highest sector for data security incidents, after business services. The “2017 Internet Security Threat Report” found that in healthcare, (a) over half of emails contained spam; (b) one in 4,375 emails was a phishing attempt; and (c) email-borne ransomware has jumped to record levels.
Ensure a HIPAA Security Breach Response Plan is in Place
Camella Boateng is an expert in addressing HIPAA compliance, and makes the point that all healthcare organizations should have a response plan ready if and when it is needed. This will permit prompt action to mitigate the harm and damage to systems, reputation, and costs. Considerations in developing the plan should include, amongst other things: (a) establishing roles and responsibilities for those who would respond to an incident; (b) outlining the methods to detect, report, and internally evaluate incidents; (c) laying out steps to be followed in containing and eliminating breaches; (d) the manner by which the response plan would be initiated and to restore operations; and (e) what would be involved in developing, executing, and monitoring a post-event remedial action plan. She advises that responsible program managers should be addressing this as part of their ongoing monitoring responsibilities. Compliance officers should verify this is being done and validate that it is effective in meeting objectives.
- Establish an aggressive patching schedule for all software.
- Implement policies and procedures for taking precautions against malware.
- Update and patch systems regularly to prevent intrusion.
- Store data offline.
- Conduct regular systems tests to help flag vulnerabilities before a hacker can gain access.
- Limit employee access to systems on a need to know standard.
- Review/restrict privilege by limiting the number of individuals accessing files on a single server.
- Monitor email carefully and do not open email attachments from unknown parties.
- Train employees to recognize and prevent cybercrimes.
- Provide ongoing training against clicking email links or attachments, or responding to phishing inquiries.
- Regularly test users to make sure they are on guard.
- Develop a business continuity plan to prevent down time.
- Establish real-time data backups to permit work to continue.
- Consider joining information-sharing groups with others.
- Assign cyber security responsibilities to someone in a senior position in the organization.
- Configure email servers to block zip or other files that are likely to be malicious.
- Focus security efforts on …