- Hospitals and healthcare organizations need to keep a strong focus on their risk management and risk assessment process and ensure that any third parties or business associates also have proper security and IT risk management protocols in place, according to Electronic Healthcare Network Accreditation Commission (EHNAC) Executive Director Lee Barrett.
Also a member of the HHS Cybersecurity Task Force, Barrett explained in a recent statement that large-scale data breaches, such as the Equifax data breach, should serve as strong reminders to healthcare organizations that it is “not a matter of if a breach can happen but when.”
“Hospitals and healthcare systems now need to keep their focus on strategies and tactics to mitigate risk and ensure business continuity once a cyberattack occurs,” Barrett said. “Today’s cybercriminal has evolved into a dangerous entity, capable of bringing an organization’s enterprise and business operation to a halt, compounded by long-term financial and reputational hardships – the WannaCry and Petya ransomware attacks from earlier this year are clear examples of the impact this can have on healthcare.”
Healthcare organizations that handle PHI should conduct regular risk assessments and conduct an asset inventory to map how data flows within the entity, Barrett added. This will also help determine the potential enterprise risk should a breach or cyber attack occur.
“Hospitals and healthcare systems need to build security frameworks and risk sharing into their infrastructure by implementing risk-mitigation strategies, preparedness planning, as well as adhering to the regulations created by the Office of the National Coordinator for Health IT (ONC) and the National Institute for Standards and Technology (NIST),” he stated.
However, with the healthcare ecosystem becoming more interconnected, entities must ensure that their business associates or other third-parties with which they conduct business are also mindful of their risk management approaches.
“The security and IT risk management protocols of business associates and other vendors and partners must also be ready for the potential negative consequences of an incident, breach or attack as their risk mitigation preparedness can impact a health system’s operations,” Barrett advised. “The failure to do so can bring devastating consequences.”
HIPAA compliance with regard to mitigating cybersecurity risks and keeping all portal and exchange points secured needs to be a top priority, he noted.
IoT security is also becoming a key healthcare issue, as more entities are implementing and using connected devices. Connected medical devices and BYOD policies should be thoroughly reviewed, ensuring that they align with any utilized security frameworks and are not creating unnecessary risk.
“Cybercriminals can strike when hospital employees, through their cell phones or tablets, connect into an EMR system, informatics or data exchange, unintentionally or intentionally infecting the hospital’s enterprise infrastructure with malware,” Barrett warned. “In fact, more than 1M healthcare apps are developed worldwide on an annual basis.”
“Unfortunately, only a small percentage of those new applications go through a security type review before being launched to the consumer or other stakeholder,” he continued.
Medical device security is extremely critical, Barrett added. A compromised medical device could lead to compromised PHI but could also endanger patient safety. Cyber criminals are ever-evolving their approaches to gain access to sensitive data. Entities need to prepare for the possibility of connected devices becoming inappropriately accessed.
For example, Barrett recalled how the Johnson & Johnson company, Animas Corporation, disclosed in 2016 that potential vulnerabilities were discovered in one of its insulin pumps. A customer letter stated that the Animas OneTouch Ping insulin pump could potentially allow an unauthorized user to gain access to the pump through its unencrypted radio frequency communication system.
“Our industry needs to make protecting these devices and the patients they serve a priority in 2018,” Barrett concluded. “The Federal Drug Administration (FDA) has recently developed some medical device guidelines which are a start but we still have a significant delta to continue to develop further policies, procedures, controls and industry guidance.”