https://assets.hillrom.com/is/image/hillrom/Voalte_hospital_3507-feature?$recentlyViewedProducts$
article-detail-page
knowledge

Cybersecurity Best Practices for Healthcare Providers

A nurse using a mobile device in a hospital room.

Healthcare is becoming more digitized by the day to help streamline workflows and improve proactive patient care. Statistics indicate that for every hospital bed in the United States, there is an average of 10 to 15 connected medical devices being used to collect and transmit patient information.1

Hardware and software solutions offer unique challenges and opportunities for cybersecurity. Therefore, it’s important for healthcare organizations to implement cybersecurity best practices to safeguard patient health information from cybercriminals.

Secure Your Connected Medical Devices

Securing connected medical devices is key to mitigating cybersecurity threats. Medical devices should employ access controls to help secure patient data. Below are some examples of access controls that can be incorporated into a connected medical device:

  • Credentials require clinicians to insert their username and password before utilizing a connected medical device.
  • Single sign-on (SSO) can help streamline clinical workflows by eliminating the need to repeatedly type and remember numerous application passwords in devices such as vital signs monitors.2
  • Single- or two-factor authentication enables organizations to determine what level of security is required for each situation (e.g., taking vitals may require a different level of security than editing information in the EMR).

It’s important that security does not hinder patient care and that it is mindful of clinical workflow to ensure users do not find workarounds that end up compromising patient data. Therefore, organizations must determine what level of security is required for each situation.

Additionally, clinicians should never share login credentials with anyone inside or outside the organization or remain logged into a device when not actively using it. These activities expose the organization to the risk that an unauthorized user could gain access to a medical device.  

Apply Strong Passwords

Strong passwords can help prevent cybercriminals from gaining unauthorized access to a network by discouraging or slowing them down.3 When creating a strong password, it’s important that it does not include personal information such as your name, birth date, or the name of a family member or pet.

Here are some characteristics of strong passwords:

  • A minimum of eight characters
  • Incorporates a combination of letters, numbers and symbols
  • Password should be changed every 90 days

Fortify Your Network

Cybercriminals commonly acquire patient health information (PHI) through tactics such as phishing and malware. Statistics show that 24% of physicians are unable to identify these specific tactics.4 To help safeguard your network from untrusted users, it’s vital to only access PHI via secure connections (e.g., secure applications and web portals) and to avoid opening unexpected attachments and clicking on links from unknown senders. Symptoms of an infected computer include:3

  • System is not starting normally
  • System is repeatedly crashing
  • Internet browser redirecting to unwanted pages
  • Unwanted popups appearing on the computer screen

In addition, insider threats also pose a threat to PHI, especially in healthcare. A recent survey from Accenture uncovered that 1 in 5 healthcare employees would sell confidential information to unauthorized parties proving that internal actors are financially motivated to steal PHI.5 To protect the organization from malicious actors, be sure to lock computers when not in use and back up data in case information is compromised.

Employ Cybersecurity Training

It’s crucial for employees to undergo regular and comprehensive education on cybersecurity best practices to help protect both PHI and the organization. Cybersecurity education should include a review of HIPAA rules and regulations to avoid violations as well as training on threat identification and reporting.

References
  1. HIT Consultant Media. Protecting Medical Device Security in the Age of Ransomware. https://hitconsultant.net/2018/06/25/medical-device-ransomeware/. Accessed December 6, 2018.
  2. Imprivata. Single sign-on (SSO). https://www.imprivata.com/single-sign-on-sso. Accessed November 26, 2018.
  3. The Office of the National Coordinator for Health Information Technology. Top 10 Tips for Cybersecurity in Health Care.  https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf. Accessed December 6, 2018
  4. Becker's Healthcare. 24% of physicians can't identify phishing emails: 5 things to know. https://www.beckershospitalreview.com/cybersecurity/24-of-physicians-can-t-identify-phishing-emails-5-things-to-know.html. Accessed November 1, 2018.
  5. Becker's Healthcare. 1 in 5 health employees willing to sell confidential data: 7 survey insights. https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html. Accessed November 1, 2018.