We have witnessed an increase in security breaches in different businesses across the country as hackers become smarter. In healthcare institutions, people rely more and more on the cloud technology to communicate and retain personal and sensitive information especially in times of the COVID-19 pandemic. However, the lack of knowledge and investment in cybersecurity framework makes healthcare systems vulnerable to data leakage and other similar cybersecurity threats.
According to HIPAA Journal, the number of data breaches has been steadily increasing since 2010, reaching a new high in 2019, with the records of 12.6% of the U.S. population “exposed, impermissibly disclosed, or stolen.” Hacking and IT incidents accounted for 59.4% of healthcare breaches last year, accounting for 87.6 % of breached records. Unauthorized access and disclosure incidents accounted for 28.8 % of all data breaches and 11.3 % of all breached records.
Cybersecurity threats in healthcare continue to evolve, as do cybersecurity solutions to address these threats. But before you choose the right partner, let us learn the most important information about cybersecurity in healthcare.
1. What is Cybersecurity in Healthcare?
Cybersecurity in healthcare entails safeguarding electronic information and assets against unauthorized access, use, and disclosure. Cybersecurity has three goals: preserving the confidentiality, integrity, and availability of information, generally known as the “CIA triad.”
There are many assets which healthcare systems need to protect: EHR systems, e-prescribing systems, practice management support systems, clinical decision support systems, radiology information systems, and computerized physician order entry systems are all used by many healthcare companies. Thousands of devices that make up the Internet of Things must also be protected. Smart elevators, smart heating, ventilation, and air conditioning (HVAC) systems, infusion pumps, Remote Patient Monitoring (RPM) devices, and other devices are examples.
2. Who are the healthcare stakeholders?
Employees must be aware of the healthcare organization’s privacy and security rules. Regular security awareness training is critical for healthcare cybersecurity because it informs workforce members about dangers and what to do in the event of a security incident. Employees must also know who to contact if they have a query or encounter an issue. In essence, workforce members can serve as the cybersecurity team’s eyes and ears. This will assist the cybersecurity team in understanding what is and is not functioning in order to secure the information technology infrastructure and data.
Patients must also understand how to communicate with their healthcare providers in a secure manner. Furthermore, whether patients interact online with their healthcare providers, whether through a telehealth platform, e-visits, secure messaging, or other means, they must understand the privacy and security policies as well as how to keep their information private and secure.
Vendors / Suppliers
Some organizations partner with vendors who provide healthcare programs or systems. If the vendor lacks knowledge on security policies in healthcare, serious problems may arise for the healthcare organization.
3. What are the common cybersecurity threats?
Cyberattacks are of particular concern in the healthcare sector because they can directly jeopardize not just the security of systems and information, but also the health and safety of patients.
For three key reasons, healthcare businesses are appealing targets for cybercriminals:
- On the darknet, criminals can swiftly sell patient medical and billing information for insurance fraud reasons.
- The capacity of ransomware to lock down patient care and back-office systems makes hefty ransom payments possible.
- Medical devices and mobile apps that are connected to the internet are vulnerable to tampering.
Cyberattacks on electronic health record and other systems endanger patient privacy because hackers gain access to PHI and other sensitive information. Failure to keep patient records private might result in significant penalties under HIPAA’s Privacy and Security Rules, as well as potential harm to your organization’s reputation in your community.
Most significantly, patient safety and quality of care may be affected. Loss of access to medical records and lifesaving medical devices, such as when a ransomware infection holds them captive, will impair your capacity to care for your patients efficiently. Access to sensitive patient data allows hackers not only to steal the information, but also to purposefully or inadvertently alter the data, which might have major consequences for patient health and outcomes.
4. How can we avoid cybersecurity threats?
Every healthcare organization should have both basic and advanced security procedures in place. This will help to ensure defense-in-depth, so that if one control fails, another will take its place. A virus, for example, may infiltrate an organization’s firewall but be stopped by an anti-virus program. However, not all security incidents are avoidable. Blocking and tackling come into play here. A thorough incident response plan is required for healthcare cybersecurity so that any security incidents that occur are either blocked or addressed in a timely and expedited manner.
Here are some basic security controls listed by the Healthcare Information and Management Systems Society (HIMSS):
- Installing an anti-virus
- Having a backup and a way to restore files/date
- Planning for data loss prevention
- Having an email and web gateway
- Having an encryption for archived files/data, encryption in transit
- Securing using a firewall
- Creating incident response plan
- Creating an intrusion detection and prevention system
- Securing through mobile device management
- Regularly updating policies and procedures
- Providing secure disposal and security awareness training
- Providing management program/patch management program
Advanced security controls from HIMSS include the following:
- Investing in anti-theft devices
- Having a strong business continuity & disaster recovery plan
- Being equipped with digital forensics, multi-factor authentication, network segmentation, penetration testing, threat intelligence sharing and vulnerability scans
5. What are the healthcare laws and regulations on cybersecurity?
The Health Insurance Portability and Accountability Act (HIPAA) is a federal mandate that applies to covered companies and business associates in the United States. HIPAA is made up of three rules: the Privacy Rule, the Security Rule, and the Breach Notification Rule.
Health plans, healthcare clearinghouses, and healthcare providers who electronically communicate any health information in conjunction with transactions for which the U.S. Department of Health and Human Services has developed guidelines are covered entities.
Physician offices, ambulatory surgery centers, hospitals, long-term care facilities, health plans, and healthcare clearinghouses are examples of covered entities. Business associates carry out tasks or provide services on behalf of covered entities. On behalf of the covered entity, business associates may create, receive, transmit, or keep protected health information. Accountants, attorneys, cloud service providers, document storage firms, third-party billing services, and other professionals are examples of business associates.
HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164
The HIPAA Privacy Rule, 45 CFR Part 160 and Subparts A and E of Part 164, establishes permissible and mandated uses and disclosures of protected health information. The protected health information can exist in any medium, including paper, film, and electronic. Individually identifiable health information is protected health information.
HIPAA Security Rule, 45 CFR Parts 160 and 164, Subparts A and C
The HIPAA Security Rule, 45 CFR Parts 160 and 164, Subparts A and C, establishes rules for electronic protected health information. In other words, covered entities and their business associates must preserve the confidentiality, integrity, and availability of electronic protected health information.
HIPAA Breach Notification Rule, 45 CFR 164.400-414
The HIPAA Breach Notification Rule, 45 CFR 164.400-414, requires HIPAA covered entities and their business associates to notify HIPAA covered entities and their business associates following a breach of unsecured protected health information.
A breach is typically defined as an illegal use or disclosure of protected health information under the Privacy Rule that jeopardizes the security or privacy of the information. An unauthorized use or disclosure of protected health information is presumed to be a breach unless the covered entity or business associate, as applicable, demonstrates a low probability that the protected health information has been compromised based on a risk assessment of at least the following factors:
- The degree to which the risk to protected health information has been reduced
- The nature and scope of the protected health information involved, including identifier types and the possibility of re-identification
- The unauthorized user of protected health information or anyone to whom disclosure was made
- Whether or not the protected health information was obtained or seen
Where relevant, covered entities and business associates have the discretion to submit the required breach notifications following an improper use or disclosure without undertaking a risk assessment to establish the risk that the protected health information has been compromised.
The definition of breach is subject to three exceptions:
- The covered organization or business associate believes in good faith that the unauthorized person to whom the unlawful disclosure was made would not be able to keep the information.
- Inadvertent disclosure of protected health information by a person authorized to access protected health information at a covered entity or business associate to another person authorized to access protected health information at the covered entity or business associate, or to another person authorized to access protected health information at the covered entity or business associate, or to an organized healthcare arrangement in which the covered entity participates. In any event, the information cannot be used or disclosed in any way that is not permitted under the Privacy Rule.
- Unintentional collection, access, or use of protected health information by a workforce member or person operating under the authority of a covered entity or business associate, if made in good faith and within the scope of authority.
A business associate, like a covered company, is directly accountable and subject to civil penalties if it fails to safeguard electronic protected health information in compliance with the HIPAA Security Rule.
DrKumo Cybersecurity Framework
DrKumo Security and Privacy framework is based on the Health Insurance Portability and Accountability Act (HIPAA), ISO 27001, the National Institute of Standards and Technology (NIST), the Federal Information Processing Standards (FIPS), the Federal Information Security Management Act (FISMA), the Office of Management and Budget (OMB), and security safeguards from best practice leaders, including awareness of privacy landscape shifts from new laws or regulations.
DrKumo— leader in Connected Health Technology of Remote Patient Monitoring— creates quality systems, applications, and procedures. DrKumo maintains the confidentiality, integrity, and availability of DrKumo systems and information, which includes customer, employee, client, corporate, personal, and third-party relationship information.
Healthcare cybersecurity solutions should include safeguards that are superior to those provided by most organizations in different industries. In terms of the level of protection given, these systems and devices should be comparable to, if not superior to, those employed in financial institutions.
To accomplish this goal, healthcare institutions must evaluate each new platform proposed in terms of the medical advantages delivered to their patients as well as the danger of cyberattacks.