Deploy Advanced Network Monitoring

To combat cyber-security threats, health care organizations should deploy advanced network monitoring tools containing software algorithms and rules that can detect when patient health information is compromised, Jared Rhoads, senior research specialist at CSC, an IT services provider, told eWEEK. The algorithms can flag a threat so that an information security team can respond. “PHI can be detected on a certain port, which should only be for normal Web traffic or unsecured email,” he said. “These are automated tools and pieces of software that monitor things as they’re already happening,” said Rhoads. “Once you get them and put them in place, they work around the clock and they’re extra eyes on this whole problem.”

“Achieving cyber-confidence means the ability to engage securely with patients, partners and others in a context of mutual trust,” Rhoads wrote in his white paper “Enterprise Security in Healthcare: From Cybercompliance to Cyberconfidence.” Performing a comprehensive risk assessment can lead to this cyber-confidence among providers and patients, Rhoads suggested.

In addition to a username and password, health care organizations need to add additional security measures such as scanning a smart card, fingerprint or retina pattern, said Rhoads. Providers should test multifactor authentication so they’re prepared in advanced for the possibility of it becoming a federal requirement, he said.

“Ethical hackers” are experts who are trained to break into a system to educate hospital IT professionals on how to secure their networks. “They’re more crafty, more resourceful than somebody on the inside who’s just going through a risk assessment,” said Rhoads. “They may take some unorthodox approach to getting in some place,” he said. “They’re representative of the real hackers out there who do want to get in.”

Insurance companies such as Chub offer plans for hospitals looking to insure themselves against cyber-crime, Rhoads noted. “If you have an adverse event and get fined $100,000 by [the U.S. Department of Health and Human Services] for a data breach, these insurance policies can kick in,” said Rhoads.

A security service provider is helpful when an IT department has few resources to manage a security infrastructure, said Rhoads. “Keeping up with the latest viruses and malware out there and fighting hackers—that’s not something IT departments want to be spending their time on,” he said.

As large health care organizations enhance their cyber-security, the majority of data breaches will occur at smaller health care organizations and business associates, according to CSC. Small health care businesses include transcriptionists, radiologists, pharmacies and small pharmaceutical companies, CSC reported.

Hospitals can offer an enterprise app store for apps approved for use within an organization, according to CSC. In addition, a safe “sandbox” could allow employees to use apps safely that that have not been officially approved by an organization. Sandboxes allow organizations to execute codes or programs that haven’t been tested.

“Federal and state laws governing health care IT security should be taken as a floor for capabilities, not a ceiling,” Rhoads wrote in his paper. Adhering to the privacy rules in HIPAA and the Health Information Technology for Economic and Clinical Health (HITECH) Act should be the bare minimum for health organization’s security efforts since they provide only “basic guidance and are often vague,” according to Rhoads.

Before connecting medical devices with networks, providers should ensure that they’re free of viruses and other malware, according to Rhoads. With the U.S. Food and Drug Administration regulating updates of medical equipment, providers are often unable to update this hardware. Outdated Windows versions and a lack of security patches can lead to malware infections on medical devices. Providers should isolate medical equipment from a network until the device is reliably secure, said Dr. John D. Halamka, CIO at Beth Israel Deaconess Medical Center (BIDMC) in Boston.