- Prioritizing healthcare data security is something that covered entities of all sizes must be currently doing, especially as more organizations implement mobile devices, connect to HIEs, and begin to use connected medical devices.
This is why data security and privacy concerns are no longer “just an IT issue,” explained former DIA Senior Intelligence Officer and Cyber Deputy Division Chief Tyler Cohen Wood. Everybody needs to understand the basic concepts of healthcare cybersecurity, from entry level employees all the way up to top executives.
Wood, who is currently the Cyber Security Advisor of Inspired eLearning, told HealthITSecurity.com that the best thing that top executives can do is change their mindset about data security, and implement a security education program that teaches security awareness concepts to employees at all levels.
“This is no longer just an IT or developer problem,” maintained Wood. “Everybody has to understand the basic concepts, and by putting together a mandatory education program, it teaches these concepts. You’re going to greatly reduce the risk to your organization and to your company.”
The second step, according to Wood, is to collaborate with similar entities. For example, attorneys could work with an attorney task force. That way, they can see what threats are out there, what types of hacks are being seen. It can provide extra assistance in approaches to healthcare cybersecurity.
“I also recommend getting a security assessment,” Wood added. “Not necessarily a penetration test, but a security assessment on at least a yearly basis to see what your threats are.”
It is especially critical that organizations in the healthcare space understand that cybersecurity threats are now everybody’s problem, she urged, as people’s lives could be at stake.
Using connected devices securely
With the increase in connected medical devices, covered entities need to ensure that they are practicing proper medical device security. According to Wood, it is somewhat concerning with which how quickly the medical device community is utilizing the Internet of Things (IoT) type of technology.
“When you’re talking about someone’s pacemaker or you’re talking about devices that are implanted in someone’s body or are needed to keep somebody alive, security becomes much more critical and mandatory that it is updated it is done to the letter of the law.”
Wood added that if devices are being monitored and updated from a phone or tablet application, new risks could potentially be introduced if that mobile device is not properly secured on its own.
Earlier this month, the FDA released draft guidance on medical device cybersecurity. Wood stated that security assessments on the protocols being utilized to communicate with those devices will be essential. Whether an organization is using Wi-Fi or Bluetooth technology, or another approach, it should remain cognizant of security.
“It’s not just the device you have to secure, it’s everything else that is inside, around or touching that device, and communicating with that device,” she said. “The language somewhat talks about that, in this [FDA cybersecurity] draft document. It’s very hard to be that specific but I think that maybe it could be even more specific.”
The importance of healthcare data encryption
One major oversight that Wood has seen is organizations not fully understanding and using end-to-end data encryption, as well as device encryption when the data is at-rest.
“I think a few things that really need to be investigated is encryption throughout the entire process,” Wood explained. “Encryption of updating the device and encryption when the device transmits data back to wherever it’s sending it to is important.”
Wood added that it will likely depend on what type of device is being used, but even so encryption of the data while it remains on the device is essential.
Basic HIPAA compliance is also key, she urged, especially with the use of mobile devices.
“Doing analysis on if you’re using a digital device such as a phone or tablet, and making sure that that device is only used for that one thing is important, and you should make sure it has all of the security measures in place.”
Individuals should also be aware of permissions that certain applications use. For example, sometimes a social media app might say that it will have access to the microphone, text messages, photographs, or even information that is stored on an internal SD card.
If there is unencrypted medical information also on that device, then an application could potentially have the ability to have access to that device and the information stored on it.
Overall though, Wood maintained that education is going to be critical in strengthening the approach to healthcare cybersecurity. Organizations really need to know what they’re putting on their network.
“Take a look at what you have because we’re moving more and more into these IoT types of devise and are reliant upon them,” she explained. “As you move more into relying on these devices, statistically, you’re going to have more bugs with the more software you introduce, and the more potential for bugs and risk.”
Employees at all levels need to pull their weight when it comes to data security, Wood reiterated, especially as technological changes continue.
“I’m sorry if I sound like a broken record, but everyone needs to do their part. It is not just an IT problem anymore.”