Cybersecurity best practices are what the industry has found, with trial and error, to be the best way to keep healthcare data secure. However, implementing these practices can be a difficult and tedious process, especially for practices without a full-time computer person on staff. These tasks usually fall to someone at the practice who has no training or experience in the matter but is considered the office’s “computer person”.
In the past, this was possible because computers and networks weren’t very complicated. Cybersecurity wasn’t a concern then but now, it is a primary concern. Every day we see reports of organizations breached and their data was stolen. The problem is that this data belongs to people. It’s our data that is being stolen and used by malicious attackers. Every company or practice has data stored about other people on their computers and devices. Cybersecurity has become one of the most important topics related to healthcare today.
KLAS Research recently released a white paper that shows just how hard a time that small practices are having with cybersecurity best practices.
What are cybersecurity best practices?
In 2015, the Cybersecurity Act of 2015 was created and one of its requirements was for the Department of Health and Human Services (HHS) to create a group to develop a system for the healthcare industry to protect patient data. This group created a document called Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (download here). It outlines ls 10 cybersecurity best practices for healthcare providers of any size. Following these best practices will reduce risk and ensure patient data is protected. The document lists these 10 best practices:
- Email protection systems
- Endpoint protection systems
- Access management
- Data protection and loss prevention
- Network management
- Vulnerability management
- Incident response
- Medical device security
- Cybersecurity policies
The problem is that when your average healthcare worker reads these, most are quite difficult to understand. All of these are critical items to address but finding out how to do so is time-consuming and difficult. Cybersecurity isn’t an easy subject and if you get it wrong, very bad things can happen.
The KLAS Report
KLAS took the answers from over 600 healthcare organizations to see how they were adhering to the best practices listed above. The results, predictably, weren’t good.
The report found that smaller practices didn’t have the manpower or budget to address these best practices. Most weren’t likely to use multi-factor authentication, they lacked policies on employees bringing in their devices to use on practice networks, and detailed disaster recovery policies were missing.
The simple truth is that security is hard and the attacker only needs to be right once. The defender has to be right every time to prevent a breach.
You can view the report here.
How can you best use cybersecurity best practices?
The first step would be to download the guidelines issued by HHS (download here). Go through that document and see what areas you need to address in your own organization. From there, conduct a Risk Assessment so that you document these areas and what is missing.
After you perform your Risk Assessment, begin making changes to the missing or deficient items.
Sounds easy right? Well, unfortunately, it isn’t. Each of these takes time and research. On top of that, you must document whatever you decide to implement in your HIPAA policies and procedures. These changes have to be tested to make sure they don’t cause issues with the operation of your practice.
But what is the alternative?
Data breaches are almost inevitable at this point. The world is full of hackers, who for many reasons, want to break in and steal data. Not following cybersecurity best practices is a guarantee that eventually, you will be breached. At that point, HIPAA investigations and patient lawsuits are a foregone conclusion.
So while learning about and following these best practices may be difficult or tedious, not doing so is irresponsible to your patients and also illegal. Cybersecurity is now just as much a part of healthcare as the care itself.