- With 2017 winding down, healthcare providers cannot become lackadaisical in their approach to cybersecurity. The New Year will likely not bring brand new data security issues, but rather show why there needs to be a heightened focus on healthcare ransomware, medical device security, and overall HIPAA compliance.
Covered entities and their business associates will need to continuously implement necessary technological tools to keep sensitive data secure. Education and training programs must be regularly updated, as cyber criminals are only going to continue to become more sophisticated and high tech.
The push for value-based healthcare, interoperability, and improved patient engagement measures will all help fuel the need for organizations to work toward comprehensive cybersecurity. Healthcare data breaches in the current technology age could impact an individual’s healthcare information, but could also impact patient safety.
Below, HealthITSecurity.com highlights key focus areas for providers going into 2018.
Working toward ransomware detection, prevention, response
Healthcare ransomware will continue to be a key concern for organizations next year, as it is unlikely that cyber criminals will simply stop the practice. Entities are implementing more connected devices, utilizing EHRs, and connecting to HIEs. This reliance on technology is important for improved patient care, but it also opens organizations up to more potential attacks.
The largest healthcare data breaches from 2017 that were reported to OCR were mainly caused by hacking or IT incidents, including ransomware attacks.
However, entities can work toward improved prevention, detection, and response measures.
Having updated software and ensuring that all necessary security patches are implemented in a timely manner is one key step for ransomware prevention. he May 2017 WannaCry ransomware attack is a perfect example, as it targeted Windows-based operating systems (OS), largely spreading through email attachments and malicious links.
“Common best practices should always be followed when dealing with software updates and suspicious e-mails containing links and attachments as the first line of defense against any ransomware or other malware,” ECRI said in guidance released earlier in 2017. “Continuing education should also be provided frequently to all levels of staff to promote awareness of and compliance with these best practices.”
Organizations should also regularly back up their data. Whether information is encrypted or deleted, having a secure backup option will help entities quickly maintain regular operations.
ICIT Co-founder and Senior Fellow James Scott told HealthITSecurity.com earlier this year that failing to have data properly backed up is one of the first mistakes a healthcare organization can make when it comes to ransomware prevention.
“It’s not enough to just back up your data in real time,” Scott said. “You have to have an auto disconnect of that external server or hard drive because a worm will find its way in to that backup system.”
Individual files and the entire PC should be backed up, and organizations should also have a system image in place. This is a snapshot of all the files and applications on a system at a particular time.
Focusing on medical device security with interoperability push
Medical device security will also continue to be a hot topic for healthcare in 2018, especially as more devices are able to connect to the internet and connect to one another.
Patient safety, data breaches, and the spread of malware were listed as top concerns regarding medical device security, according to the 2017 HIMSS Cybersecurity survey. Approximately one-third of surveyed IT leaders said 32 patient safety was a top worry area with medical device security.
Twenty percent of respondents added that medical devices being susceptible to malware attacks was a key concern.
“Such senior information security leaders know that cyber-attacks on medical devices may lead to serious consequences, especially if the medical device is life-sustaining or life-saving,” report authors stated. “A hacked insulin pump may deliver a fatal bolus of insulin to a patient. A ‘connected’ pacemaker may deliver a fatal shock to a patient.”
There is an increased need for medical devices to be interoperable, Reed Smith Partner Maryanne Woo explained to HealthITSecurity.com in a November 2017 interview. It can be difficult though when different devices are from different manufacturers.
“On average a hospital bed has about 10 to 15 medical devices connected to it at one time,” she said. “And all of them are not made by the same device manufacturer. Everyone has different specialties. They all need to be able to talk to each other. They all need to be able to share data, share information.”
There can be trouble when those devices have low security parameters, which can occur to ensure the devices are able to communicate with one another.
“If someone from the outside can hack into the MRI machine, hack into the X-ray machine, or can hack into your blood gas analyzer – because none of them are set up to detect malware – then they can go anywhere into the hospital,” Woo explained.
Healthcare organizations should continue to conduct regular risk assessments, and ensure that all medical devices are included in the process. It will also be helpful to stay educated on the latest resources from FDA, HHS, and OCR.
Staying educated on HIPAA regulations
Maintaining HIPAA compliance should always be a top focal point for healthcare organizations, especially as information sharing regulations are put in place and patients continue to have a more active role in their own personal care.
The opioid crisis was declared a national public health emergency in 2017, which further pushed the issue of patient data protection laws into the spotlight. OCR maintained in released guidelines and updates to its website though that HIPAA regulations cannot be pushed aside. The agency stressed that HIPAA accounts for, and allows, information to be shared.
“Sharing health information with family and close friends who are involved in care of the patient if the provider determines that doing so is in the best interests of an incapacitated or unconscious patient and the information shared is directly related to the family or friend’s involvement in the patient’s health care or payment of care,” OCR explained in its guidance.
A provider could use her professional judgement to determine it is necessary to share information on a patient’s overdose and related medical information with the individual’s parents, the agency added. Unrelated medical information could not be shared though without the patient’s permission.
“Informing persons in a position to prevent or lessen a serious and imminent threat to a patient’s health or safety,” OCR said. “For example, a doctor whose patient has overdosed on opioids is presumed to have complied with HIPAA if the doctor informs family, friends, or caregivers of the opioid abuse after determining, based on the facts and circumstances, that the patient poses a serious and imminent threat to his or her health through continued opioid abuse upon discharge.”
The 21st Century Cures Act will also continue to have an impact on sharing patient information and HIPAA regulations in 2018.
Some stakeholders were concerned though because the Act includes the threat of financial penalties for providers and vendors who fail to meet interoperability thresholds.
The American Hospital Association (AHA) said in response to the 21st Century Cures Act Trusted Exchange Framework and Common Agreement from ONC that there must be a common approach.
“[ONC must] develop a framework and common agreement solely on the connections across information exchange networks and the rules of the road for those entities,” AHA wrote in its letter. “We also recommend that the federal government separately continue to pursue alignment and simplification of the existing privacy and security requirements that apply to health care providers, including those that apply uniquely to federal health care providers.”
“As noted in a recent ONC-funded report by the National Governors Association, these overlapping and sometimes conflicting requirements continue to be an impediment to information exchange.”
Healthcare organizations must ensure that their existing security requirements align with HIPAA rules. Even with issues such as secure health data exchange and the opioid crisis potentially impacting daily operations, entities need to remain educated on federal and state law with regard to patient data security.