By: Brianna Plush, senior consultant, Cyber Risk Advisory
Cyberattacks are on the rise, and one of the most vulnerable industries is healthcare. Healthcare organizations amass enormous amounts of personally identifiable information (PII), electronic public health information (ePHI), and other sensitive data records as part of their day-to-day operations. This makes the healthcare field an attractive target for hackers with malicious intents. These threats not only pose a serious risk to the privacy and confidentiality of patient data, but also open the door to potential disruptions in business operations that could hinder efforts to provide proper care to patients.
There are standard cybersecurity measures that healthcare organizations can take to protect their data from cyberattacks, and it all starts with obtaining a thorough understanding of the data at the organization—namely, what data is being stored, who has access to it, where the data is, and where it’s going.
What is the data?
To ensure an organization is well-postured to respond to cyber threats, understanding the nature of the data being handled is paramount. Proper identification and classification of data allows organizations to quickly reference the sensitivity of the information stored in their systems and consider the potential risks of a breach. From there, it’s easier to determine the appropriate ways to treat and handle the data at hand. Any ePHI or PII must be identified and properly managed, as well as anonymized whenever possible.
Performing regular risk assessments can also aid in understanding the nature of the data being handled by the organization and help in identifying areas of vulnerability within each data class.
Who has the data?
Without a proper understanding of and protocol for who has access to data internally, there can be no real assurance that the information is fully protected from individuals outside of the organization. On an individual level, this can be managed by enforcing strict password requirements on work devices and tracking any devices where patient data may pass through or be stored, as well as regularly ensuring appropriate security standards, such as the use of anti-virus software, are in place. Network security, meanwhile, must be maintained through the use of Virtual Private Networks (VPNs), firewalls, and other system hardening standards meant to prevent outside users from obtaining entry.
Additionally, access to data in healthcare organizations must be restricted to only those who absolutely require it. It’s important to review access rights periodically to certify that anyone who currently has access to the sensitive data still needs it—and that access is removed for anyone who does not.
Where is the data?
Wherever patient data is stored electronically, it must be protected through the appropriate encryption standards determined by the organization. Regularly backing up this information and monitoring those backups can help prevent the potential loss of this data. In addition, data at healthcare organizations also moves around a lot, so any transmission of sensitive data or information between devices must also be encrypted to minimize the risk of outside actors intercepting the data.
Understanding the highly sensitive nature of data within the healthcare industry is crucial to building a secure cyber landscape that protects the organization from threats. The general compliance standards for healthcare organizations include HIPAA security and privacy regulations, and these should be enforced where applicable.
The ultimate driver of all cybersecurity protection practices listed above, however, is people. Adequate training and education for all members of the organization is the foundation of every cybersecurity program, because they’re the ones who will enforce these controls and put them into practice.
If your organization is in the healthcare industry, we’re here to help you comply with HIPAA regulations to protect healthcare data. Contact us for a free consultation.
About the Author:
Brianna Plush, senior consultant, Cyber Risk Advisory
As a senior consultant in BARR Advisory’s Cyber Risk Advisory practice, Brianna Plush is responsible for planning and executing information technology audits and risk assessments for clients in various highly regulated industries, including healthcare. She is also a certified ISO Lead Auditor and provides support to clients in pursuit of ISO 27001 certification.
Brianna previously worked at EY in the Technology Risk practice supporting Financial Audits, SOC reporting, and Cybersecurity consulting engagements. Brianna earned a Bachelor of Business Administration in Accounting and Finance from Villanova University.