Paubox: securing patient data in healthcare institutions

How can healthcare organisations establish a 'culture' of security?

When security is part of the culture, each member of the organisation accepts personal responsibility for their actions and recognises they’ll be held accountable if they choose not to comply.  Security works better when it is collaborative; employees should have insight into a company’s processes and the knowledge and skills to make smart decisions.

The following steps are a good start to develop a culture of security: 

• Understand your current situation: Are employees actively engaged in the security process and up to date on the latest best practices? Do they know how to alert the organisation when there’s a threat or attempted breach?
• Train employees on their role in cybersecurity: Continually educate your team on your security process and how they play a part in keeping the organisation safe.  
• Department heads must think security-first: Each department leader must be committed to upholding security standards and be a model for their team.  
• Deploy actionable threat intelligence: Leverage threat intelligence technology to quickly identify if your organisation has been compromised, alert the company, and identify where the issue originated.
• Hold employees accountable: When you can trace the origin of a potential hack, you can determine who is responsible. This allows you to hold employees or teams accountable, ensure they correct their mistakes, and foster better security habits.
• Celebrate wins: Reward those who are supporting a culture of security. 

What dangers do they face if they don't implement robust security measures?

Healthcare networks have always carried a target on their backs. They need sensitive personal data to treat patients, making them a worthwhile target for cybercriminals. Hackers infiltrate vulnerable networks and cause millions of dollars of damage, in addition to striking a blow to a company’s reputation. In fact, a 2021 IBM report shows that compromised employee credentials caused the most data breaches, averaging $4.37 million. 

Hackers breach a network with specific goals in mind to steal sensitive information for financial or political gain. One method that hackers leverage to gain access to a network is through advanced persistent threats (APTs). APTs often fly under the radar for prolonged periods of time, leading to detection occurring at an “advanced” stage within the attack, after a breach has been happening for a few months or possibly years. Taking a proactive approach and implementing robust security measures is non-negotiable and ensures a strong line of defence against hackers.

How important is staff training and what should this involve?

As cyberattacks have become more sophisticated, cybersecurity practices have had to evolve to keep pace. Proper employee training, alongside a robust cybersecurity strategy, is important in safeguarding your healthcare organisation. Human error can play a large role in organisations falling victim to data breaches (95% according to Fraud Watch International), further highlighting the importance of awareness, preparation, training and enforcement. 

Effective cybersecurity staff training happens regularly and is consistently evaluated and updated. Employees should be able to recognise and halt attacks before they happen to prevent damage. Organisations can start by consulting a reliable cybersecurity provider to tailor employee training and cybersecurity programs that will protect data.

How can patient data and medical devices specifically be kept secure?

Healthcare organisations must implement strong security measures to protect patient data (protected health information) and medical devices. One way to do this is by transitioning to a cloud-based system for full visibility into activity through a centralised control centre where you can monitor unauthorised access.

A few other ways to ensure the protection of patient data and medical devices:

• Employee training in healthcare organisations lowers the risk of human error by raising awareness of cybersecurity issues. Training topics should address cybersecurity policies and procedures, as well as other relevant topics, such as identifying and blocking malicious emails.
• While deemed as a de facto requirement, email encryption acts as one of the strongest safeguards for PHI sent electronically. 
• Two-factor authentication provides an additional layer of security and has quickly become a best practice to restrict unauthorised access to medical devices and online accounts.
• Keep firewalls up to date.
• Disable all unnecessary ports and services in medical devices.

As more medical devices are now connected to networks, it’s even more important to consider what security controls are in place as well as quality control. Some areas to consider include how firmware is protected from tampering, how stored data is secured, protection of data in transit, and how often firmware is updated and patched. 

Once a data breach or other type of cyber attack happens, what does a good recovery or mitigation plan entail? 

Data breaches occur in a multitude of ways, whether deliberate or accidental. COVID-19 accelerated the number of cyberattacks on healthcare organisations. Business continuity plans (BCP) are a necessity to protect your organisation against breaches and avoid the tedious and expensive recovery process. After a breach occurs, the covered entity needs to take immediate action by conducting a risk assessment to determine what PHI was involved, as well as its nature and extent. The healthcare provider must contain the breach by eliminating access to the compromised system or network or temporarily locking an affected account. 

Depending on risk assessment results, a healthcare provider may then need to advise proper authorities, the US Department of Health and Human Services (HHS) and affected patients. In the end, the Office for Civil Rights (OCR) will most likely perform a compliance review, resolving the case — only if the covered entity indicates corrective action, voluntary compliance and/or provides a resolution agreement.