As we move more and more into the digital age, the presence of Electronic Health Records is continuously growing, making the perfect targets for criminal activity. It is crucial that your organization takes proactive measures to ensure its data is protected and not readily available for cybercriminals. Here are five tips that can help you protect your organization and the sensitive data it stores from falling into the wrong hands:
1. Perform Risk Assessments Regularly
Don’t underestimate the value in performing routine Risk Assessments. Healthcare organizations are constantly changing and evolving, and those changes should be evaluated for the risks they pose. For example, maybe your organization got a new server, opened a new office location, or changed EHR vendors – all these changes come with risks that should be properly evaluated.
Not only do Risk Assessments identify security gaps in your organization’s administrative, technical, and physical safeguards – potentially saving you from a destructive data breach, but they are also required for HIPAA compliance and in most cases, MACRA/MIPS requirements.
2. Perform Vulnerability Scans & Penetration Tests
Sometimes referred to as network assessments, vulnerability scans are all about identifying vulnerabilities in your organization that could be exploited to gain access to ePHI. Networks have become very complex and performing a vulnerability scan helps identify misconfigurations for vulnerabilities before a cybercriminal does. This scan may look for things such as a hole in the firewall, unpatched systems, and more.
Once you’ve performed a vulnerability scan, it is highly recommended that you perform a penetration test. A penetration test, also known as a pen test, is generally performed after you have remediated the findings from your vulnerability scan. These tests are typically performed outside the network and attempt to “break in”, a true test of the risks associated with your network. These thorough tests can come with large price tags, so it is recommended to plan accordingly and account for this scan in your budget.
3. Utilize Encryption
Encryption is necessary for healthcare organizations to provide adequate protection of patient data. Despite proactive measures, data breaches happen. It is important that your organization is utilizing encryption across the board – from encrypting your laptops to encrypting your emails. Since encryption renders your data essentially useless, it is the only safeguard keeping a cybercriminal out of your sensitive data if they were to gain access to your systems. Encryption should be in place for data both at transit and at rest.
4. Perform Updates & Patch Your Systems
Updating your systems is an important practice for a variety of reasons. Not only do updates repair security holes and fix/remove bugs, but they also offer benefits like adding new features and removing those no longer needed.
Cybercriminals prey on unpatched security holes, which can lead to several issues for your organization. Once a vulnerability is discovered, hackers will often write code to target and exploit that vulnerability with malicious intent. If successful, a hacker may use that security loophole to infect your computer. For example, WannaCry ransomware, which wreaked havoc across the healthcare industry just last year did so by exploiting unpatched medical devices.
Although hackers are often the ones to discover security holes, upgrades and patches are often released as quickly as possible to prevent them from further exploiting the discovered vulnerability.
5. Check Your Audit Logs
Any systems that are being used to access or store patient information should be capable of producing a log report to provide details on who accessed the patient data, what data they accessed, and the time of access. These logs can help ensure that employees are only looking at the data required to perform their job function, and also act as a check-up to ensure inappropriate and unauthorized access is not occurring.
For example, if you check the log for your EHR system and see that one of your employees accessed the system at 3:02 am and viewed 400 patient records, this finding should come as a red flag to you. It is unlikely that your employees would be accessing that magnitude of patient data, especially at the time listed on the log.
Remember, it’s great that systems are capable of producing these reports, however, if you’re not routinely checking them and ensuring nothing looks abnormal, the logs are essentially useless.