Chances are, when a patient is admitted to a hospital or other healthcare organization, the individuals involved have many varied thoughts going through their minds. The triage nurse wants to make sure the patient receives the right kind of care and is prioritized appropriately. The physician wants to treat the issue and improve wellness. The billing clerk wants to ensure that all appropriate insurance forms are submitted.
And the IT staff wants to make sure that all of the hospital’s data is secure – whether it be data about the patient or about the equipment the healthcare organization is using to help treat the patient.
In fact, IT security for healthcare organizations might not factor into the thinking of its patients – or even its healthcare providers – with much regularity. But healthcare organizations, from top leadership down, need to take the security of its information technology seriously. And information technology departments within healthcare organizations need to ensure that they are taking a few critical steps to safeguard the health – and personal healthcare information – of each of its patients. Here are a few steps that every healthcare organization IT department should be sure to take note of, and implement if not already part of the structure.
To start, medical device security is extremely important. These devices are potentially directly connected to patients; as such, they could both be hacked to cause harm or to steal critical patient information. IT departments should work in partnership with BioMed divisions when implementing medical devices. Additionally, devices should be checked to ensure that they are up to date, utilizing proper segmentation, encrypting sensitive data both at rest and in transit, and are executing appropriate asset management techniques. These steps are crucial for both network-enabled devices and devices connected to secondary workstations.
In addition, proper authentication mechanisms that access the hospital, workstations, and applications should be implemented. The IT team should emphasize best practices with passwords, two-factor authentication, and/or proximity badges. The goal is to reduce the amount of passwords doctors and nurses need to utilize by increasing the security of the environment.
For many reasons mentioned about, cyber-security is important, but physical security should also be reviewed and improved. With patients and their families potentially wandering the halls, the opportunity exists for a potential hacker to blend into the foot traffic. Healthcare organizations can combat this by installing proactive cameras, securing door-locking mechanisms, hiring 24/7 security guards, and installing alarm systems that limit entrance to the facility at off-peak hours. To help reduce this risk as well as to bring awareness of these situations, the organization needs to conduct both physical and remote social engineering.
Additionally, redundant and secure communication should be implemented throughout the entire hospital. This includes looking at cell phones, text messages, Internet traffic, medical devices, EHR/EMR, and any other intercommunication mechanisms within the hospital. A patching policy should also be implemented to ensure that devices are being routinely patched from critical vulnerabilities. Although sometimes overlooked as not necessarily an important step, the patching of workstations, servers, networking devices, and medical devices are critical to ensure the safety of patient records and protection of the facilities.
IT departments would also do well to conduct proactive assessments against their employees, technology, and organization. Doing so allows the department to test against threats towards the infrastructure, and to accurately gauge the amount of risk exists with the potential of patient information getting into the wrong hands.
Another step that healthcare-focused IT departments should take is to implement proper threat intelligence within the infrastructure to analyze the flow of data. Thinking of the aphorism, “You don’t know what you don’t know,” it is prudent that IT departments understand what kind of traffic is within the infrastructure and what is coming in and out of the environment.
Finally, and perhaps most importantly, IT departments within healthcare organizations should do their part to bring information security awareness to the board of directors and the executive branch within their facilities to enforce change within the organization around IT and IT security. They should create a realistic budget to keep technology up to date and secure from threats, and point out that skimping on this budget in the present could potentially lead to exponential costs in the future as the result of a data breach.
Technology has resulted in many incredible advances within healthcare. It is up to information technology departments within healthcare organizations to ensure that technology does not become a detriment to their organization.
Andrew Ostashen is co-founder of Vulsec (www.vulsec.com), a Boston-based firm established to provide clients with the highest methodologies in data protection by delivering versatile tactics to safeguard information technology departments from hackers. Andrew can be reached at 617-648-9815.