HIT Summit panel highlights tools designed to help healthcare organizations successfully address cybersecurity risks.
At this week’s Collaborative Care HIT Summit in Baltimore, MD, a panel of experts talked about the urgency of addressing cybersecurity in healthcare organizations. “A war is going on, and we are the good guys. We block 21 million threats every month. Cybersecurity is one of the top risks for most organizations. You have to be focused on this, no matter what our role is,” said Jeff Bontsas, chief information security office at Ascension Technologies.
Panelist Julie Chua, risk management branch chief, U.S. Department of Health and Human Services (HHS), talked about some of the resources the government has to help healthcare organizations and other stakeholders understand and address cybersecurity issues. Among these is Health Industry Cybersecurity Practice: Managing and Protecting Patients (HICP), a document designed to raise awareness, provide vetted security practices, and move organizations towards consistency in mitigating the most pertinent cybersecurity threats. It also provides guidance on cost-effective methods that healthcare organizations at every size and resource level can use to reduce cybersecurity risks.
The HICP addresses five key threats to healthcare organizations and other stakeholders and offers some quick “threat tips,” among other information, on each, such as:
1. Email phishing attack. Tips include: Know which emails are safe to open by determining if you know the sender and if the URL destination matches the sender; familiarize yourself with your organization’s policies for reporting suspicious emails; and check with colleagues to see if they’ve received the same or similar “phishy” email.
2. Ransomware attack. Tips include: Since most of these attacks come via email, know and follow the process for identifying “phishy” messages; if you discover that your computer has been infected, immediately disconnect from the network and notify your IT security team; and seek professional help—never try to fix this yourself.
3. Loss or theft of equipment or data. Tips include: Follow enhanced security procedures when you travel with a computer or other technology; know your organization’s policy on removing equipment from the workplace; and if your device or equipment is lost or stolen, report it immediately to your supervisor and IT team.
4. Inside, accidental, or incidental data loss. Tips include: Follow your instincts and always report any suspicions or concerns; conduct regular security training sessions to further employee education and awareness; and always consult IT when you or another employee is exposed to a situation of stolen data or employee misconduct.
5. Attacks against connected medical devices that may affect patient safety. Tips include: Know organizational protocols in case of a potential shutdown or attack against medical devices; help patients and staff by understanding processes and procedures; share protocols during onboard and/or new hire orientation; and make sure all employees know who to ask about medical device security questions and encourage them to ask for new or repeated training if they need it.
Click here to read more and to access the full HICP.
There are many other resources available to support organizations in their cybersecurity efforts. For instance, BlueOrange Compliance has a free ebook that addresses the impact of cyberattacks in the healthcare arena, hacker tools and tactics, and cybersecurity best practices. Additionally, LeadingAge offers a Cybersecurity White Paper.