AHIMA Issues Guidance to Help Healthcare Organizations Develop an Effective Cybersecurity Plan
The American Health Management Association (AHIMA) has published guidance to help healthcare organizations develop a comprehensive and effective cybersecurity plan.
In the guidance, AHIMA explains that healthcare organizations must develop, implement and maintain an organization-wide framework for managing information through its entire lifecycle, from its creation to its safe and secure disposal – Termed information governance (IG).
As the Protenus/Databreaches.net monthly healthcare data breach reports show, healthcare data breaches are now occurring at a rate of more than one a day. With the threat of attack greater than ever before, it is essential that healthcare organizations develop an IG program.
Kathy Downing, Vice President, Information Governance, Informatics, Privacy and Security at AHIMA, explains that IG is now critical in an environment where cyberattacks are being experienced by healthcare organizations every day.
Downing cites the June 2017 report from the Healthcare Industry Cybersecurity Taskforce (HCIC), which states “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” HCIC explained, “Governance of information shifts the focus from technology to people, processes, and the policies that generate, use, and manage the data and information required for care.”
To help healthcare organizations, develop, implement, and maintain an effective IG program, AHIMA has developed its step by step guide, which includes 17 actions healthcare organizations can take to complete a cybersecurity plan.
The AHIMA IG Adoption Model™ addresses people, processes, and technology and has been based on ten competency areas, including privacy and security, enterprise information management, IT and data governance, legal and regulatory requirement, and security awareness and adherence.
By developing and maintaining a cybersecurity plan, healthcare organizations can improve their defenses against cyberattacks and prevent costly data breaches.
The 17 steps to develop a complete cybersecurity plan are:
- Conduct a comprehensive, organization-wide risk analysis of all applications and systems
- Recognize health record retention as a cybersecurity issue
- Patch all vulnerable systems and keep software/operating systems up to date
- Deploy advanced endpoint detection systems in addition to standard antivirus/antimalware tools
- Encrypt data on workstations, smartphones, tables and portable media
- Improve access management and identity controls
- Use web filters to block bad traffic
- Implement mobile device management
- Develop an incident response plan
- Monitor audit logs for signs of possible attacks
- Implement intrusion detection systems
- Evaluate business associates
- Use a third-party firm to conduct penetration tests
- Improve anti-phishing controls and conduct phishing simulation exercises
- Prepare a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
- Adopt and ally a ‘Defense in Depth’ strategy
- Detect and prevent intrusions
Developing and implementing a cybersecurity plan is only the start. The threat landscape is constantly changing, and healthcare organizations’ IT infrastructures, hardware and software frequently change. It is therefore important to revisit and revise the cybersecurity plan, as appropriate, at least every quarter to ensure it remains comprehensive and effective.
The AHIMA guidance is available for download here.