Cybersecurity Best Practices for Healthcare Organizations

The Department of Health and Human Services’ Office for Civil Rights has drawn attention to basic cybersecurity safeguards that can be adopted by healthcare organizations to improve cyber resilience and reduce the impact of attempted cyberattacks.

The advice comes at the end of cybersecurity awareness month – a four-week coordinated effort between government and industry organizations to raise awareness of the importance of cybersecurity.

While all organizations need to implement policies, procedures, and technical solutions to make it harder for hackers to gain access to their systems and data, this is especially important in the healthcare industry. Hackers are actively targeting healthcare organizations as they store large quantities of highly sensitive and valuable data.

Healthcare organization need to ensure that their systems are well protected against cyberattacks, which means investing in technologies to secure the network perimeter, detect intrusions, and block malware and phishing threats. Large healthcare organizations have the resources to invest heavily in cybersecurity solutions, although many smaller HIPAA-covered entities and business associates may struggle to find the necessary funds to devote to cybersecurity.

OCR has reminded HIPAA-covered entities that there are several basic cybersecurity safeguards that can be implemented to improve cyber resilience which only require a relatively small financial investment, yet they can have a major impact on an organization’s cybersecurity posture.

Recommended Cybersecurity Best Practices for Healthcare Organizations

OCR has drawn attention to four cybersecurity safeguards that can significantly reduce the impact of attempted cyberattacks and are also important for HIPAA Security Rule compliance.

Data Encryption

Encryption may only be an addressable implementation specification of the HIPAA Security Rule, but it is one of the most effective cybersecurity safeguards to ensure the confidentiality, integrity, and availability of ePHI. Encryption is the conversion of data to a secure, encrypted form. If correctly applied, data are unintelligible and can only be transformed back to a readable form with a decryption key. Any healthcare organization that has experienced a ransomware attack will be aware of how effective encryption is at preventing data access.

HIPAA-covered entities should assess whether encryption is an appropriate safeguard to implement for data at rest and in motion based on the results of a risk analysis.

Social Engineering Awareness

As the OCR Breach portal shows, email hacking incidents are a common cause of healthcare data breaches. Hackers often use phishing to trick healthcare employees into revealing their email credentials. Phishing is one of the most common and most effective social engineering tactics used by hackers to gain access to ePHI.

Spam filters and other email gateway cybersecurity solutions can reduce the volume of phishing emails that are delivered to mailboxes, but no solution will be able to prevent all phishing emails from being delivered. It is therefore essential for all healthcare employees to be trained how to identify social engineering attacks. Security awareness training can greatly reduce susceptibility to phishing attacks. Regular security awareness training sessions are also a required element of HIPAA Security Rule compliance.

Audit Logs

HIPAA-covered entities are required to create and monitor audit logs. Audit logs contain a record of events related to specific systems, devices, and software. By reviewing audit logs regularly, security teams can identify attempts by unauthorized individuals to gain access to ePHI before they result in a data breach. Audit logs can also be used to reconstruct past events and identify historic data breaches that would otherwise go undetected.

Correct Configuration of Software and Network Devices

Network devices, software, and cloud-based solutions may incorporate all the necessary security controls to prevent unauthorized access, but if the security controls are not correctly configured hackers have an easy entry point into a healthcare network.

Misconfigured S3 buckets, deactivated firewalls, out of date software, and missed patches often lead to healthcare data breaches, and misconfigured audit logs may not record information to allow suspicious activity to be detected. Steps should be taken to ensure that all systems, software, and devices are correctly configured, and regular security audits should be conducted to identify potential vulnerabilities.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.