Hospitals need to digitize to stay competitive and create a better patient experience, but increasing the availability of sensitive electronic protected health information (ePHI) opens hospitals up to significant cybersecurity risks if the appropriate protections aren’t in place.
Hospitals need to be able to securely share data without worrying about cyber attacks or data breaches. Proper healthcare cybersecurity helps hospitals protect patient data, reduce costs, and avoid the headaches of HIPAA penalties.
However, most hospitals need to rethink how they do cybersecurity. Healthcare is the most targeted industry, and hospitals are the victims of more than 30% of all large data breaches — so current approaches to cybersecurity clearly aren’t working. Take these five steps to improve the cybersecurity posture of your hospital.
1. Conduct Risk Assessments
Hospitals can improve healthcare cybersecurity by identifying their weak points and fixing them. Awareness is the best place to start, so kick off your healthcare cybersecurity with an assessment.
HIPAA requires hospitals to conduct risk assessments, so this is both a best practice and a rule. However, you can conduct risk assessments more than just once a year. Schedule them quarterly or any time there’s a big change in the market or your business.
A risk assessment looks at all potential risks and quantifies them. Every hospital has some form of risk, and a risk assessment will help you understand where you are right now and what’s within your power to fix.
2. Train Staff
Eighty-two percent of all cybersecurity breaches occur due to human error. Even the most robust cybersecurity setup requires your employees to be good stewards of your security policies. Humans are fallible, which makes them the weakest link in healthcare cybersecurity. This means your team needs regular training on cybersecurity best practices.
HIPAA requires hospitals to do cybersecurity training once a year, but your team probably won’t retain the information they learned months ago. Plus, annual training won’t educate employees on the latest threats, so it’s best to train your team at least once a month. This will also help you create a security-minded culture.
3. Automatically Patch and Update
Out-of-date software has known vulnerabilities that cyber criminals will discover and exploit. It’s in your hospital’s best interests to update all devices and software to the latest version. This should include IoT-enabled medical devices, which are notorious for being out-of-date.
Ideally, you want automatic updates and patches to your systems so you remove human error (or forgetfulness) from the equation. But if that isn’t possible, your IT team will need to manually update everything on a regular schedule. Set up a recurring calendar appointment and log which systems IT updated so you have a paper trail.
4. Implement Access Controls
Hospitals shouldn’t give all their employees unlimited access to ePHI. Access controls not only protect patient privacy but also make it harder for attackers to infiltrate your sensitive systems with a single compromised login.
Access controls are a HIPAA requirement and a healthcare cybersecurity best practice. To implement access control correctly, hospitals should:
- Revoke access when employees no longer need certain data or systems
- Immediately revoke access when employees leave the hospital
- Create unique logins for every user, for every system
- Force users to reset their passwords every 90 days
- Enable multi-factor authentication that verifies identity with tokens, PINs, or biometrics
5. Improve Mobile Security
Your staff likely relies on mobile tablets or other devices to serve patients throughout your hospital. This is convenient, but it can pose significant cybersecurity challenges. The ever-growing number of endpoints means the attack surface is expanding at a rapid pace.
If you aren’t securing mobile devices right now, it’s a must for staying HIPAA compliant. This means you should:
- Store ePHI in the cloud and not locally on mobile devices.
- Enable remote wipe in case devices are lost or stolen.
- Encrypt data when it’s in transmission or when it’s at rest — you should never have unencrypted data in your business.
- Install a mobile device management system (MDMS) to manage content, authentication, and more.
Bolster Your Hospital’s Cyber Defenses with Situational ePHI Awareness
We can’t separate healthcare from technology. As the two become more intertwined, hospitals have to continue to innovate. It’s great to add new technologies to your business, but you need the infrastructure and processes to secure your healthcare technologies. It’s not only the right thing to do, but it’s also a HIPAA requirement.
When it’s time to bolster your hospital’s cyber defenses, having visibility into your ePHI is crucial. Without knowing where it’s stored, how it’s used, how it’s accessed, and how it’s shared, you can’t adequately protect sensitive patient data. Tausight’s Situational ePHI Awareness solution provides a consolidated, real-time view into both structured and unstructured PHI across the healthcare continuum, continuous validation of cyber preparedness, and an immutable, off-site audit trail with forensic-level detail for faster cyber recovery. Contact us today to learn how Tausight can help you gain visibility into your ePHI throughout the healthcare ecosystem.
