Cybersecurity in the Healthcare Environment

By Michael Grzesik, Infrastructure Security Specialist

Today’s healthcare industry is more than ripe with opportunity to exploit a weak computer and network security posture. Lack of attention can compromise confidential patient information. It is up to all of us that work in this vital sector of the economy to understand the need to be vigilant and ask tough questions when it comes to patient confidentiality, data protection and designing healthcare systems with security in mind.

What can you do to help? User education is one key to success. In addition, working toward the goal of putting the appropriate technical protections in place to secure computer networks and hospital systems also ranks high on the list. In the end, the hard work involved will have a positive impact on everyone. Let’s take a look at some areas you can look at to increase security and awareness in a healthcare environment, no matter the size.

Control Physical Security and Network Access

Physical security does not stop with the lock on the office door and computer security doesn’t stop with a username and a password. Healthcare workers are using laptops, mobile devices and tablets to access patient information. If offices don’t limit the chance that these devices can be lost or stolen, then ePHI (electronic Patient Healthcare Information) is at a heightened risk. Here are some actions to consider:

• End users should follow set office policies and determine what devices and applications are used to access the office computer network.

• There should also be restrictions on wired and wireless access in an office or a hospital. Consider higher levels of wireless encryption (beyond WPA2 – Wireless Private Access ver 2.0) on handheld devices roaming the building. Adding username and password authentication, in addition to complex encryption, can make it more challenging for untrusted personal devices to gain access to the network.

• Prohibit casual network access by visitors. Do hospital employees and guests need to login to the entire network and the Internet on a 24x7x365 schedule? Should there be a guest wireless network? Ask your IT department to consider this.

Access to Protected Healthcare Information

Patient records are at even higher risk of compromise today than they were 10 years ago. With HIPAA, most records are now electronic and available on a computer network. Poorly configured application security coupled with lax network security is a recipe for disaster if a computer hacker or disgruntled employee targets a hospital network.

• Electronic records systems should be configured to grant access to only people with the “need to know”. This access control might be built into the computer operating system for a particular pharmacy or healthcare application.

• IT should be engaged to help set file permissions using access control lists. Prior to this, files should go through a data classification review to determine which staff members should be accessing them.

• One method of file access is role-based control. In role-based access, associates within the medical practice or hospital, such as pharmacists, physicians or nurses and billing specialists, are cleared to only access certain data. This data access is typically, again, on a need-to-know basis.

Computer, Handheld and Network Security

How safe is your computer network and the devices that run on it? There is no one blanket answer to computer and network security. Each device, application and system has its own security settings to configure. If the solution does not have good security, consider a different solution. It is up to you to figure out how you want to deploy security out of the box.

• Installing anti-virus software is a good place to start. Many suites of AV products have different levels of protection for the operating system, applications and network. This can help you deploy a more holistic solution to your users. But you should not forget about AV products for mobile devices. This is especially true if you use any Android OS tablet or mobile products.
• If there is a firewall on a software product, take the time to turn it on. This is your best protection at the host-level to block outside attacks. Offices should also consider the use of a newer Next Generation Firewall for their network that stops attacks in real-time and allows you to control the flow of data in and out of the network at a more granular level.
• Consider how wireless handheld devices are managed in your network environment. This is where some very pointed questions should be asked regarding day-to-day device access.

1. Do not transmit unencrypted Protected Health Information (PHI) across public networks (e.g., Internet, Wi-Fi).
2. Where it is absolutely necessary to commit PHI to a mobile device or remove a device from a secure area, encrypt the data.
3. Do not use mobile devices that cannot support encryption.
4. Develop and enforce policies specifying the circumstances under which devices may be removed from the facility.
5. Take extra care to prevent unauthorized viewing of the PHI displayed on a mobile device.

A Culture of Security is Very Important

There are many technical security controls that can be put in place. There are also information security controls that need to be considered. Educating users and securing the data are both paramount to keeping electronic patient information out of the wrong hands. This area follows the principles of CIA in information security: Confidentiality, Integrity and Availability.

Step one: educate your users on the importance of information security

• Build a security-minded organizational culture so that good habits and practices become automatic.
• Conduct information security education and training frequently, in an ongoing fashion.
• If you are a manager or other leader in your organization, set a good example in attitude and action.
• Instill taking responsibility for information security as one of your organization’s core values.

Step two: know your data, what users will access it, and how it should be secured

• Confidentiality – is there limited information access and disclosure to authorized users — “the right people” — and preventive access by or disclosure to unauthorized ones — “the wrong people.”
• Integrity – does the data have the potential to be compromised or altered while at rest (on a file server) or in transit (over a wireless network)
• Availability – is the data available to those people that need to see it, and is that availability guaranteed on a consistent basis

Everyone is Responsible

The marriage of healthcare and technology is a business collaboration to find solutions that work, enhance patient safety and improve the outcome of the medical experience.   Asking the right questions and hiring the right people with the technical knowledge is only part of the success factor. If healthcare professionals take the time to become educated on the basics of computer and information security, everyone will benefit, including the patients.