Ten Best Practices For Health Care Cyber Security

While technological advances have contributed to the increased quality of patient care and reduced costs in providing care, it has also greatly increased the threat of cyber-attacks. The Department of Health and Human Services (“HHS”) found that “health care has the highest cost for data breaches.” Thus, pursuant to the congressional mandate contained in the Cyber-security Act of 2015, HHS along with partner groups and cyber-security experts have released guidance on what the best practices to address cyber-security threats facing the healthcare industry.[1]

The official position taken is that the practices described are meant for “informational purposes only” and are not “required by nor guarantees compliance with federal, state, or local laws.”[2] While this may be the intention of HHS, under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and Health Information Technology for Economic and Clinical Health (“HITECH”) Act and the implementing regulations, part of the basis for determining the amount a civil penalty assessed against an entity may be after a breach occurred is whether it exercised “reasonable diligence”[3] or whether the cause of the breach “was due to reasonable cause and not to willful neglect.”[4] Thus, compliance with the practices in the HHS Guidance will likely be highly relevant when determining whether an entity’s practices were reasonable when assessing a penalty against an entity for a breach of protected health information (“PHI”).

Recent Examples of Cyber Attacks

In recent years there have been numerous stories of health care entities facing cyber-attacks. In one attack in 2016, a private hospital suffered a ransomware attack, freezing all the computers at the hospital.[5]

Patient records, schedules, and documents could not be accessed, and many practitioners were required to revert to pen and paper documentation while the system was down, and many patients had to be transferred.[6] The Hospital was only able to regain access when it paid the ransom demanded, though there is never a guarantee that acquiescing to a malicious actor’s demands will result in regaining control of a system.[7]

In another attack on an orthopedic practice, more than 500 patient profiles were stolen and put up for sale on the dark web. [8] The data included names, addresses, social security numbers, and other valuable information that can assist in identity theft.[9]

Another case involving a ransomware attack froze a rural hospital’s electronic health record system (“EHR”).[10] While the hospital did not pay the demanded ransom, it did have to replace its entire EHR system.[11] Recently, it has been disclosed that an authorized party had access to a system at a Missouri rehabilitation center that lasted approximately three months and potentially exposed the data of more than 4,000 patients.[12] The breach was not identified for more than a month after it occurred.

Identification Of The Biggest Threats

HHS identified the five biggest threats facing the healthcare industry, which are: (1) e-mail phishing attacks; (2) ransomware attacks; (3) loss or theft of equipment or data; (4) insider, accidental or intentional data loss; and (5) attacks against connected medical devices that may affect patient safety.[13] HHS defined “threat” as “internal or external activities or events that have the potential to negatively impact the quality, efficiency, and profitability of” an entity.[14] Threats often exploit vulnerabilities in an entity’s system or policies, which “are weaknesses that, if exposed to a threat, may result in harm and, ultimately, some form of loss.”[15]

1. E-Mail Phishing Attack

An e-mail phishing attack is an attempt to trick an entity by sending an email which appears to come from a legitimate source, but which often has a link or attachment that when clicked may attempt to obtain information from the recipient or infect the system with malicious software (“malware”). When an email is received, the recipient should determine whether it came from a legitimate sender, even if the email appears to come from within the entity. The recipient should check to determine if there are any indicators that something is wrong with the email, such as spelling or grammatical errors. By hovering on the email address (but not clicking) the recipient may be able to determine where the email was sent from.

2. Ransomware Attacks

Ransomware is a specific type of malware which denies a user access to data, often through encryption in which only the malicious actor has the key until a ransom is paid. Ransomware may also be used to remove data or install some other form of malware and is often contained in a phishing email.[1]

3. Loss or Theft of Equipment or Data

This can often occur when data is kept on mobile devices, such as laptop, smartphones, tablets, or USB/thumb drives. [1] Loss or theft of such a device can occur easily but can result in a breach of an entity’s system and breach of patients’ PHI. This has recently occurred in a Michigan when a laptop belonging to a Blue Cross Blue Shield of Michigan employee was stolen and potentially 15,000 customers may have had their data breached[2]

4. Insider, Accidental or Intentional Data Loss

This is a threat that can happen due to an honest mistake, a gap in an entity’s procedures, or negligence. It can also happen when an actor inside the entity is seeking to steal information for malicious reasons, such as identity theft.[1]

5. Attacks Against Connected Medical Devices

Medical devices, such as a heart monitor, may be connected to a computer network for monitoring purposes. However, a malicious actor that gains access to an entity’s network may also be able to cause harm through access to medical devices, such as by turning them off or causing them to reboot.

Best Practices Guide

HHS has broken its guidance down based on whether the entity is small, medium, or large.[22] While there is no strict definition, they did create a chart to assist practitioners in determining where they may fall.[23] However, the recommendations fall into ten basic categories: (1) e-mail protection systems; (2) endpoint protection systems; (3) access management; (4) data protection and loss prevention; (5) asset management; (6) network management; (7) vulnerability management; (8) incident response; (9) medical device security; and (10) cyber-security policies. While this article will not address every recommendation, it will discuss some of the recommendations for each category. It should be noted that not every recommendation or even every category applies to every entity, and every entity must ensure that the practices it implements are appropriate and reasonable for its business.

1. E-Mail Protections Systems

To help protect against phishing attacks, ransomware attacks, or data loss, practitioners should avoid using free or consumer email systems, such as Yahoo or Gmail, as such systems are not approved to store, process or transmit PHI.[24] Entities should have spam and antivirus software installed on its system and endpoints and ensure that all software is updated and patched regularly. Use of two-factor or multi-factor authentication is also recommended, as well as assigning unique user accounts and e-mail addresses to employees.

2. Endpoint Protection Systems

Endpoints are internet-capable devices are areas where a system can be accessed, such as desktop computers, laptops, or tablets. [25] Administrative authority should be limited to only those accounts necessary to make modifications to a system. Most users should not have the authority to modify a system or install software.[26] Endpoint vulnerabilities should regularly be patched, such as by regularly updating the software, and antivirus software should be used which protects against viruses, malware, spam, and ransomware threats. If possible, encryption systems should be used and firewall enabled.

3. Access Management

Access management requires “clearly identify[ing] all users and maintain[ing] audit trails that monitor each user’s access to data, applications, systems, and endpoints.”[27] Establishing unique accounts and e-mail addresses for all users, limiting the use of generic accounts, and restricting the access only to what each user needs to do their jobs can help manage who has access to the system. When an employee’s employment is terminated, the entity should also immediately terminate that person’s access and unique account. A system should be designed to auto-lock or log off after a period of inactivity, such as 15 minutes.

4. Data Protection and Loss Prevention

Security breaches may occur due to access to or theft of sensitive data contained on an endpoint, particularly mobile ones, such as PHI.[28] HHS recommends establishing a hierarchy of classification for data and developing policies on how to address incidents at different levels. HHS broke the classifications down to highly sensitive, sensitive, internal, and public.[29] Data in the highly sensitive or sensitive categories would include PHI, social security numbers, or payment information. Access to highly sensitive or sensitive information should be restricted to only those with a reasonable need to access it and only to the extent necessary. Personnel should be trained on the appropriate handling of that information and an entity may want to consider using appropriate EHR systems that satisfy meaningful use criteria. Data should be backed so that in the event of loss, it can easily be retrieved for the continuation of care purposes.

5. Asset Management

HHS recommends that an entity maintain a complete and accurate inventory of all assets to facilitate optimal security controls. Such assets include the name of the operating system, the host name, an IP address, a means to track when a user last logged on, and the physical location of that access.[30]

6. Network Management

Maintaining network security and responding appropriately when a network is breached is essential to addressing cyber threats. Among the recommendations is a network configuration which restricts access between devices to only that which is reasonably necessary. Access to the network should also be restricted to third-party vendors or others that may be able to access the system. Finally, restrict access to applications or websites such as for Facebook, Twitter, or Amazon for personnel who have access to the systems, to limit the exposure to cyber threats.

7. Vulnerability Management

An entity should work to identify, manage, and correct vulnerabilities in its system.[31] Performing vulnerability scans on the on a regular basis, such as once a month, can allow an entity to identify vulnerabilities in the system before a threat can exploit them. As threats can come in many forms, such forgetting to log-off a computer, not locking the door to an office, or having outdated software, a vulnerability scan should be broadly performed. Once vulnerabilities are identified, an entity should correct the vulnerability, such as by patching software, restricting access to an individual that does not need to access a piece of sensitive information, or ensuring that endpoints are secured, such as by locking the door to an office and ensuring an auto-logoff function is enabled.

8. Incident Response

An entity needs to have a response plan in place in the event of an attack or breach.[32] Members and directors of a response team need to be established. For medium or large practices, this should include legal counsel and the chief compliance officer. In a small practice, this may be the practice owner and/or an office manager with access to the system. Once an incident occurs, the response team should assess the incident and respond according to the policies developed to address the breadth and level of the incident. For instance, in the event of a breach of PHI, following the appropriate notification procedures and closing the source of the breach, such as removing the offending software and running a malware scan.

9. Medical Device Security

Enabling additional security when an entity connects to medical devices can prevent harm to patients and threats from malicious actors.[33] Such additional measures can be additional encryption to access medical devices, only allowing the process to run on medical devices, and making complex passwords to access the devices. Software connected to medical devices should be patched regularly to ensure it is up-to-date and that vulnerabilities have been corrected.[34]

10. Cyber-Security Policies

All entities should have established policies and procedures to address cyber-security and prevent attacks.[35] The policies should establish that an entity takes cyber threats seriously and expects all personnel to adhere to them. the procedures should establish how an entity will respond to various threats, such as whether personnel can take devices connected to a network off of the premises and when personnel can access data off-sight, what to do in the event that a connected device is lost or stolen, how to prevent phishing attacks, what authority (if any) personnel may have to modify the system or download software, and how to respond to an incident once a threat has occurred.

Conclusion

The extraordinary, and often quickly, changing nature of the technological landscape has allowed for increased patient care, often at reduced costs to an entity. However, the constantly changing landscape has created greater risks in the health care industry to cyber threats and attacks. Having appropriate practices in place to address those threats will allow health care entities to better protect patients and their information and assist an entity in preventing a breach of data or reduce the penalty assessed against that entity should a breach occur.

[1] Dep’t of Health & Human Servs., Health Industry Cyber-security Practices: Managing Threats and Protecting Patients (Dec. 28, 2018) [hereafter “HHS Guidance.”]. [2] Id. at 2. [3] 45 C.F.R. § 160.404(b)(2)(i). [4] § 160.404(b)(2)(ii). [5] Supra note 1 at 7. [6] Id. [7] Id. [8] Id. at 8. [9] Id. [10] Id. [11] Id. [12] Jessica Davis, Hackers Breach Data of 4,300 Missouri Patients for 3 Months, Health IT Security, Jan. 3, 2019, available at https://healthitsecurity.com/news/hackers-breach-data-of-4300-missouri-patients-for-3-months (last visited Jan. 3, 2019). [13] Supra note 1 at 14.[14] Id. at 13. [15] Id. [16] Id. at 16. [17] Id. at 18. [18] Id. at 20. [19] Jessica Davis, Blue Cross Blue Shield of Michigan Breach Impacts 15,000 Customers, Health IT Security, Dec. 31, 2018, available at https://healthitsecurity.com/news/blue-cross-blue-shield-of-michigan-breach-impacts-15000-customers (last visited Jan. 3, 2019). [20] Id. at 22. [21] Id at 24. [22] Dep’t of Health & Human Servs., Technical Volume 1: Cybersecurity Practices for Small Health Care Organizations, at 7 (Dec. 28, 2018) [hereafter “Volume 1”]; Dep’t of Health & Human Servs., Technical Volume 2: Cybersecurity Practices for Medium and Large Health Care Organizations, at 7 (Dec. 28, 2018) [hereafter “Volume 2”]. [23] Supra note 22, Volume 1, at 11. [24] Id. at 7-9 [25] Id. at 10. [26] See LabMD, Inc., No. 9357 (July 28, 2016) (finding a corporation liable for a data breach that occurred as a result of an employee downloading the file-sharing program LimeWire on her computer). [27] Supra note 22 Volume 1, at 12. [28] See supra note 19. [29] Id. at 17-18. [30] Id. at 17. [31] Id. at 21. [32] Id. at 22. [33] Id. at 24; Supra note 22 Volume 2, at 87-99. [34] Supra note 22 Volume 2,at 89. [35] Supra note 22 Volume 1, at 25.