Understanding how to improve cybersecurity in healthcare is crucial to the wellbeing of patients, as well as the legal and financial standing of healthcare institutions. Cybersecurity issues in healthcare impact everybody, from patients to their families to shareholders.
Improving cybersecurity in healthcare should be of paramount importance to institutions and the IT teams charged with guarding their digital assets and infrastructure.
Establish a Security Culture
Although an all-inclusive checklist does not exist, some obvious steps, such as the following, should be taken.
Frequent Education and Training
All stakeholders within a healthcare organization need to be kept aware of cybersecurity risks. They also need to know their specific role in reducing risk and the mitigation of issues if they arise.
All on-premises workers and those involved in the telemedicine ecosystem should be aware of the Health Insurance Portability and Accountability Act (HIPAA) requirements, including how it impacts telehealth practices. Resources made available by Health–ISAC can be effective educational tools. This organization is dedicated to sharing knowledge about how to address cyber threats to the healthcare industry.
Management Should Not Think They Are Exempted
Management is not above the fray. Members of the management team, particularly due to their higher security clearances, can be high-priority targets for cyber criminals. Therefore, it is critical that management take ownership of their role in an organization’s pro-cybersecurity culture.
Accountability and Taking Responsibility for Information Security
Everyone that comes in contact with sensitive information and systems should be encouraged to embrace the responsibility of protecting them. Furthermore, if someone is lax in fulfilling their cybersecurity role, they should be held accountable, similar to those who make critical errors.
Protect Mobile Devices
Portable storage media have opened a world of opportunities to untether Electronic Health Records (EHRs) from the desktop. Desktop systems are susceptible to various kinds of malware, viruses, ransomware, and the exfiltration of data. However, mobile devices face additional or more acute threats, such as:
- Connections to unsecured Wi-Fi
- Easily broken cryptography
- Connecting to a spoofed network
- Unsecure mobile applications that result in data leakage
Therefore, mobile devices that cannot support encryption should not be used. This may include older devices that otherwise help practitioners offer valuable services to patients. The risk of a data breach is too great.
Maintain Good Computer Habits
Configuration management refers to tracking the configuration states of the components of an IT system. One outdated configuration or an unaddressed vulnerability can expose the entire system to risk. On the other hand, managing configurations reduces the chances of an attacker taking advantage of even relatively new vulnerabilities.
In the healthcare system, because there are so many people interacting with a vast number of endpoints, each application is a potential point of entry. Therefore, software maintenance is crucial. Knowledge of recently discovered vulnerabilities should be incorporated in your cyber defense system, as well as frequent updates that may address security issues.
Operating System (OS) Maintenance
OS maintenance should be another top-level priority. The importance of cybersecurity in healthcare is underscored by the fallout of overtaxed or vulnerable operating systems. To maintain operating systems, IT teams should regularly:
- Perform disk cleanups
- Defragment the hard drive
- Delete temporary files
- Protect the device from malware that could overburden the OS
Use a Firewall
The impact of cyberattacks on healthcare can be significantly reduced with the use of firewalls. A firewall can be set up at various points in your network, protecting assets on either side by filtering traffic and discarding data packets containing threats. Firewalls can also be used to set up secure, encrypted virtual private networks (VPNs) for remote or telehealth workers to access.
Install and Maintain Antivirus Software
You can reduce or eliminate infection incidents by using and maintaining effective antivirus software. A computer with a virus may run slowly, have problems shutting down or restarting, have files missing, display frequent pop-ups, or crash frequently. Even if you have not yet noticed any of the above signs, keep in mind that a lack of antivirus software can lead to the stealing, destruction, or degradation of data.
Plan for the Unexpected
Because you never know when a security incident can happen, it is important to plan for the unexpected. A key automation to improve healthcare cybersecurity is automatic backups, which ensure you have a recent copy of your healthy system ready if you need it. It is best to store your backed-up information apart from your main system to shield it from negative events, including natural disasters, that could affect local infrastructure.
Control Access to Protected Health Information
One of the most effective ways to enhance healthcare cybersecurity is to control access to protected information. Only those who need the information to perform specific job duties should be allowed access to it. In this way, you can reduce the number of incidents that occur as a result of someone leaving their access credentials lying around, as well as disgruntled saboteurs.
For example, a physician may have similar access privileges as a nurse because their roles often overlap, but a billing specialist may not need access to all that a physician or a nurse can see. The key is to let the role of the individual dictate what they are allowed to access.
Use Strong Passwords and Change These Regularly
What Strong Passwords Should Not Include
Your passwords should not incorporate the following:
- Easy-to-guess words
- Birthdays, anniversary dates, or any other publicly available information
- Previously used passwords
- Passwords used for other online accounts
Strong Password Characteristics
Strong passwords tend to have the following characteristics:
- They consist of long, complex combinations of letters, numbers, and characters.
- They do not contain words you can find in the dictionary.
- They are not made up of a predictable series of numbers and letters, such as “JohnSmith12345678.”.
Passwords and Strong Authentication
A password should only be one step in a multi-authentication system. This is because a password can be easily shared with or stolen by the wrong person. Using another identification factor, such as biometric information or a physical device that generates a temporary passcode, will strengthen your defenses.
What About Forgotten Passwords?
If someone forgets their password, there needs to be more than one form of identification required before they are able to reset it. Sending a reset email may not provide adequate security, particularly because their email account may have been compromised as well.
Limit Network Access
When you limit the number of people who can access your network according to their roles, you shrink your attack surface. Only those who need to access the network should be given privileges. Further, you should limit the areas of the network people are allowed to access according to what is needed to perform their jobs.
Control Physical Access
You not only have to control access to data but to the devices that make up an EHR system. Controlling physical access will take into consideration elements of supply chain cybersecurity as well. Doctors, nurses, and even billing staff may not need access to inventory as it arrives, especially computers and endpoints that have not yet been configured or secured.
How Fortinet Can Help
The Fortinet Security Fabric includes a combination of tools that can protect healthcare organizations from cyberattacks. By combining different elements of the Fortinet Security Fabric, facilities and companies can provide secure access for healthcare, protecting patients, employees, and the interests of high-level stakeholders. The Fortinet Security Fabric incorporates:
- FortiGate: Next-generation firewalls (NGFWs) to filter out threats
- FortiSandbox: Sandboxing to contain and study threats, as well as facilitate advanced threat protection
- FortiMail: Secure, high-performance email gateways
- FortiWeb: Web application firewalls (WAFs) that specifically guard web apps
- FortiClient: Endpoint security to safeguard all devices connected to the network
- FortiADC: Application delivery controllers (ADCs) that enable appropriate access, enhance the user experience, and accommodate scalability
- Secure Wi-Fi: Wireless local-area network (WLAN) products for mobile devices, remote monitoring, and Internet-of-Medical-Things (IoMT) devices