- End-user security is a critical aspect to overall health data security, especially as more organizations are implementing technologies allowing employees to be mobile.
HIMSS Privacy and Security Director Lee Kim JD, CISSP, CIPP/US, FHIMSS recently highlighted five key tips for organizations to keep in mind for improving their end-user security.
First, regular backups are essential and they need to be verified on a regular basis as well, Kim explained. This is also consistently stressed by numerous stakeholders and federal agencies.
For example, regular system backups and verification is the most effective approach in ransomware prevention and response, the Software Engineering Institute (SEI) at Carnegie Mellon University stated in a May 2017 blog post.
Backups need to be regularly updated to ensure that an organization’s system can be properly restored should an attack occur. Backups should also be stored on separate systems that cannot be accessed from a network.
“Conduct regular backups of your system and store the backups offline and preferably offsite so that they cannot be accessed through your network,” CERT Division Senior Research Scientist Alexander Volynkinin the blog post, which was co-authored by Jose Morales and Angela Horneman. “For ransomware, offline is more important. For other events, offsite is more important.”
Kim also touched on the importance of keeping backups disconnected from the main network. If using an external hard drive for instance, it should be disconnected from the provider’s system when it is not being used.
Healthcare organizations also need to regularly update their web browser, add-ons, extensions, applications, and operating system software to the most current version.
The ECRI Institute also stressed the need for software updates in ransomware guidance that was released in June 2017.
“Common best practices should always be followed when dealing with software updates and suspicious e-mails containing links and attachments as the first line of defense against any ransomware or other malware,” ECRI wrote. “Continuing education should also be provided frequently to all levels of staff to promote awareness of and compliance with these best practices.”
The WannaCry ransomware attack that impacted certain healthcare organizations targeted Windows-based operating systems (OS) and mainly spread through email attachments and malicious links, ECRI stated.
“Several hospitals in the United Kingdom and Indonesia experienced severe disruptions to hospital operations, resulting in cancellation of appointments, postponing of elective surgeries, and diversion of emergency vehicles,” the organization explained. “Unfortunately, any data that was not appropriately backed up has likely been lost in systems infected with WannaCry.”
This aspect also ties into the importance of regular employee training. While technical safeguards can aid in these processes, staff members at all levels should also know to not save passwords or to share those passwords with coworkers.
A study published in Healthcare Informatics Research showed that 73 percent of healthcare professionals reported using another staff member’s password to access an EHR at work. Fifty-seven percent those surveyed also estimated they have borrowed someone else’s password an average of 4.75 times.
“Unfortunately, the use of passwords is doomed because medical staff members share their passwords with one another,” the researchers explained. “Strict regulations requiring each staff member to have it’s a unique user ID might lead to password sharing and to a decrease in data safety.”
Employees must also know how to recognize suspicious emails, Kim concluded.
“When in doubt, throw it out,” she said. “If you receive a suspicious e-mail (or even a calendar invite), delete it immediately if something seems ‘phishy.’”
OCR called for stronger employee training in its July 2017 Cybersecurity Newsletter, maintaining that regular training is necessary for preventing against potential cyber attacks and is also required under the HIPAA Security Rule.
“Using security updates and reminders to quickly communicate new and emerging cybersecurity threats to workforce members such as new social engineering ploys (e.g., fake tech support requests and new phishing scams) and malicious software attacks including new ransomware variants [should be considered],” OCR said.
Computer-based training, classroom training, monthly newsletters, posters, email alerts, and team discussions can also be beneficial, the agency wrote.
“A covered entity’s workforce is its frontline not only in patient care and patient service, but also in safeguarding the privacy and security of its patients’ protected health information (PHI),” OCR stated. “The healthcare sector’s risk landscape continues to grow with the increasing number of interconnected, ‘smart’ devices of all types, the increased use of interconnected medical record and billing systems, and the increased use of applications and cloud computing.”