Ten Best Practices For Health Care Cyber Security

HHS has broken its guidance down based on whether the entity is small, medium, or large.[22] While there is no strict definition, they did create a chart to assist practitioners in determining where they may fall.[23] However, the recommendations fall into ten basic categories: (1) e-mail protection systems; (2) endpoint protection systems; (3) access management; (4) data protection and loss prevention; (5) asset management; (6) network management; (7) vulnerability management; (8) incident response; (9) medical device security; and (10) cyber-security policies. While this article will not address every recommendation, it will discuss some of the recommendations for each category. It should be noted that not every recommendation or even every category applies to every entity, and every entity must ensure that the practices it implements are appropriate and reasonable for its business.

1. E-Mail Protections Systems

To help protect against phishing attacks, ransomware attacks, or data loss, practitioners should avoid using free or consumer email systems, such as Yahoo or Gmail, as such systems are not approved to store, process or transmit PHI.[24] Entities should have spam and antivirus software installed on its system and endpoints and ensure that all software is updated and patched regularly. Use of two-factor or multi-factor authentication is also recommended, as well as assigning unique user accounts and e-mail addresses to employees.

2. Endpoint Protection Systems

Endpoints are internet-capable devices are areas where a system can be accessed, such as desktop computers, laptops, or tablets. [25] Administrative authority should be limited to only those accounts necessary to make modifications to a system. Most users should not have the authority to modify a system or install software.[26] Endpoint vulnerabilities should regularly be patched, such as by regularly updating the software, and antivirus software should be used which protects against viruses, malware, spam, and ransomware threats. If possible, encryption systems should be used and firewall enabled.

3. Access Management

Access management requires “clearly identify[ing] all users and maintain[ing] audit trails that monitor each user’s access to data, applications, systems, and endpoints.”[27] Establishing unique accounts and e-mail addresses for all users, limiting the use of generic accounts, and restricting the access only to what each user needs to do their jobs can help manage who has access to the system. When an employee’s employment is terminated, the entity should also immediately terminate that person’s access and unique account. A system should be designed to auto-lock or log off after a period of inactivity, such as 15 minutes.

4. Data Protection and Loss Prevention

Security breaches may occur due to access to or theft of sensitive data contained on an endpoint, particularly mobile ones, such as PHI.[28]  HHS recommends establishing a hierarchy of classification for data and developing policies on how to address incidents at different levels. HHS broke the classifications down to highly sensitive, sensitive, internal, and public.[29]  Data in the highly sensitive or sensitive categories would include PHI, social security numbers, or payment information. Access to highly sensitive or sensitive information should be restricted to only those with a reasonable need to access it and only to the extent necessary. Personnel should be trained on the appropriate handling of that information and an entity may want to consider using appropriate EHR systems that satisfy meaningful use criteria. Data should be backed so that in the event of loss, it can easily be retrieved for the continuation of care purposes.

5. Asset Management

HHS recommends that an entity maintain a complete and accurate inventory of all assets to facilitate optimal security controls. Such assets include the name of the operating system, the host name, an IP address, a means to track when a user last logged on, and the physical location of that access.[30]

6. Network Management

Maintaining network security and responding appropriately when a network is breached is essential to addressing cyber threats. Among the recommendations is a network configuration which restricts access between devices to only that which is reasonably necessary. Access to the network should also be restricted to third-party vendors or others that may be able to access the system. Finally, restrict access to applications or websites such as for Facebook, Twitter, or Amazon for personnel who have access to the systems, to limit the exposure to cyber threats.

7. Vulnerability Management

An entity should work to identify, manage, and correct vulnerabilities in its system.[31]  Performing vulnerability scans on the on a regular basis, such as once a month, can allow an entity to identify vulnerabilities in the system before a threat can exploit them. As threats can come in many forms, such forgetting to log-off a computer, not locking the door to an office, or having outdated software, a vulnerability scan should be broadly performed. Once vulnerabilities are identified, an entity should correct the vulnerability, such as by patching software, restricting access to an individual that does not need to access a piece of sensitive information, or ensuring that endpoints are secured, such as by locking the door to an office and ensuring an auto-logoff function is enabled.

8. Incident Response

An entity needs to have a response plan in place in the event of an attack or breach.[32]  Members and directors of a response team need to be established. For medium or large practices, this should include legal counsel and the chief compliance officer. In a small practice, this may be the practice owner and/or an office manager with access to the system. Once an incident occurs, the response team should assess the incident and respond according to the policies developed to address the breadth and level of the incident. For instance, in the event of a breach of PHI, following the appropriate notification procedures and closing the source of the breach, such as removing the offending software and running a malware scan.

9. Medical Device Security

Enabling additional security when an entity connects to medical devices can prevent harm to patients and threats from malicious actors.[33]  Such additional measures can be additional encryption to access medical devices, only allowing the process to run on medical devices, and making complex passwords to access the devices. Software connected to medical devices should be patched regularly to ensure it is up-to-date and that vulnerabilities have been corrected.[34]

10. Cyber-Security Policies

All entities should have established policies and procedures to address cyber-security and prevent attacks.[35]  The policies should establish that an entity takes cyber threats seriously and expects all personnel to adhere to them. the procedures should establish how an entity will respond to various threats, such as whether personnel can take devices connected to a network off of the premises and when personnel can access data off-sight, what to do in the event that a connected device is lost or stolen, how to prevent phishing attacks, what authority (if any) personnel may have to modify the system or download software, and how to respond to an incident once a threat has occurred.