The healthcare sector has witnessed rapid technological advancements over the past few decades, with the widespread adoption of electronic health records (EHRs), telemedicine, and the Internet of Medical Things (IoMT). This digital transformation has led to numerous benefits for both patients and healthcare providers, including more efficient patient care, better access to medical services, and improved decision-making based on data-driven insights. However, this increased reliance on technology has also exposed the sector to an ever-growing range of cybersecurity threats.
Cybersecurity in healthcare is a critical concern, as the industry deals with vast amounts of sensitive and valuable information, such as patient records, medical history, and billing information. This data is not only valuable for patient care but also highly attractive to cybercriminals who can use it for identity theft, fraud, and extortion. Additionally, the interconnected nature of modern healthcare systems means that a single security breach can have far-reaching consequences, affecting not just the targeted organisation but also its partners, suppliers, and patients.
In recent years, the healthcare industry has become a prime target for cyberattacks. The nature of these attacks ranges from ransomware, where malicious software encrypts an organisation's data until a ransom is paid, to data breaches, where unauthorised individuals gain access to sensitive information. The impact of such incidents can be severe, leading to financial losses, reputational damage, regulatory fines, and, most importantly, potential harm to patients.
The increasing number of cyberattacks on healthcare organisations highlights the urgent need for a robust cybersecurity strategy that can protect the sensitive data these organizations hold and ensure the continuity of critical services. This requires not only the implementation of advanced security measures but also a comprehensive understanding of the nature, type, and scale of cyber threats in the industry.
In this article, we will discuss five major cybersecurity incidents that have occurred in the healthcare sector, illustrating the potential impact and consequences of such attacks. We will then provide a global overview of cybersecurity in healthcare, exploring statistics that highlight the nature, type, and scale of attacks worldwide. This will give us valuable context for understanding the current state of cybersecurity in healthcare and the challenges the industry faces in addressing these threats.
Following this, we will delve into the main approaches that healthcare organisations can adopt to reduce the risk of cybersecurity attacks. These strategies will include both technological and organisational solutions, emphasising the need for a multi-layered approach to cybersecurity. We will also explore healthcare-specific research on the topic, highlighting the innovative work being conducted by researchers to develop new tools and methods for enhancing cybersecurity in the industry.
By examining these different aspects of cybersecurity in healthcare, we aim to provide a comprehensive overview of the current state of the industry and the various strategies that can be employed to protect sensitive data and systems. As the healthcare sector continues to evolve and embrace new technologies, it is crucial that organisations prioritise cybersecurity to safeguard their patients and ensure the ongoing delivery of high-quality care.
Major Cybersecurity Incidents in Healthcare
The Anthem Data Breach (2015)
The Anthem Data Breach, which took place in 2015, stands out as one of the most significant cybersecurity incidents in the history of the healthcare industry. Anthem Inc., an American health insurance provider and one of the largest Blue Cross and Blue Shield Association members, was targeted by a sophisticated cyberattack that exposed the personal information of nearly 80 million customers. The attackers gained unauthorised access to Anthem's IT systems, compromising a wide range of sensitive data, including names, birthdates, social security numbers, addresses, email addresses, employment information, and income data.
"Given the ease with which these hackers were able to infiltrate Anthem’s databases and make off with tens of millions of customer records, it’s likely we’ll see more large-scale breaches targeting health care providers in the future." -- Brian Krebs, KrebsOnSecurity
The breach was first detected by the company's cybersecurity team in January 2015, when they noticed suspicious activity on the network. Upon further investigation, it became clear that the attackers had been inside Anthem's systems for weeks, giving them ample time to exfiltrate vast amounts of data. The full extent of the breach was confirmed in February 2015, when Anthem publicly disclosed the incident and began notifying affected customers.
The attack on Anthem is believed to have been carried out by a nation-state-sponsored group known as Deep Panda, which has links to China. The group used advanced techniques to gain access to Anthem's systems, including spear-phishing emails targeted at key personnel within the company. Once they had gained a foothold, the attackers moved laterally through the network, deploying custom malware and exploiting vulnerabilities to maintain persistence and evade detection.
The fallout from the Anthem data breach was immense. The company faced a torrent of criticism from customers, regulators, and lawmakers for failing to adequately protect sensitive information. Anthem subsequently agreed to pay a record $115 million settlement to resolve a class-action lawsuit brought by affected customers. Additionally, the company invested heavily in improving its cybersecurity infrastructure and processes, implementing a series of measures to prevent similar incidents in the future.
Brian Krebs, a prominent cybersecurity expert and investigative journalist, offered his analysis of the Anthem data breach on his website, KrebsOnSecurity. He highlighted the incident's significance, stating, "Anthem’s breach is a particularly significant event, not just because of its size but because it is the first time that any large health insurance provider has experienced a major breach of customer data."
Krebs also pointed out the potential implications of the breach on future cyberattacks targeting the healthcare industry, explaining, "Given the ease with which these hackers were able to infiltrate Anthem’s databases and make off with tens of millions of customer records, it’s likely we’ll see more large-scale breaches targeting health care providers in the future."
WannaCry Ransomware Attack (2017)
The WannaCry Ransomware Attack, which occurred in May 2017, was a global cybersecurity incident that had a particularly devastating impact on the healthcare sector. The WannaCry ransomware exploited a vulnerability in Microsoft Windows, known as EternalBlue, which had been leaked by a hacking group called The Shadow Brokers. The attackers used this vulnerability to rapidly propagate the ransomware across networks, encrypting files on affected computers and demanding payment in Bitcoin for their release.
While the WannaCry attack affected numerous industries and organisations worldwide, the healthcare sector was hit especially hard. The UK's National Health Service (NHS) emerged as one of the most severely impacted entities, with more than 200,000 computers across approximately 80 hospital trusts and nearly 600 general practices infected. The attack led to widespread disruption of medical services, as hospitals were forced to divert patients, cancel appointments, and delay critical treatments.
The extent of the WannaCry attack on the NHS can be attributed to several factors. Firstly, many NHS organisations were using outdated and unpatched Windows systems, which left them vulnerable to the EternalBlue exploit. Additionally, the NHS's complex and decentralised IT infrastructure made it difficult to implement security updates and maintain consistent cybersecurity practices across the organisation.
The financial and repetitional impact of the WannaCry attack on the NHS was significant. A report from the UK's National Audit Office estimated that the incident had caused £92 million in damages, which included the cost of IT support, lost output, and the expense of restoring data and systems. The attack also exposed systemic weaknesses in the NHS's approach to cybersecurity and prompted a wave of criticism from the public and government officials.
In response to the WannaCry attack, the NHS and other healthcare organisations around the world took steps to improve their cybersecurity posture. These measures included updating and patching systems, investing in more advanced security tools, enhancing employee training, and implementing better incident response plans. The UK government also announced additional funding for the NHS to bolster its cybersecurity defenses and ensure that the organisation was better prepared for future cyber threats.
SingHealth Data Breach (2018)
The SingHealth Data Breach of 2018 is a prime example of a large-scale cyberattack on a healthcare organisation with far-reaching consequences. SingHealth, Singapore's largest healthcare provider, fell victim to a targeted and sophisticated cyberattack that compromised the personal data and medical records of 1.5 million patients, including Prime Minister Lee Hsien Loong and other high-profile individuals.
The Committee of Inquiry (COI) report on the SingHealth data breach suggested that the attack was likely a state-sponsored cyber espionage operation, indicating that the motive behind the attack was to gather sensitive information and intelligence. The specific nation-state involved was not publicly disclosed in the report.
The breach took place between May and July 2018, with the attackers gaining unauthorised access to SingHealth's IT systems through a well-coordinated phishing campaign. Once inside the network, the perpetrators moved laterally, locating and exfiltrating sensitive patient data, including names, addresses, dates of birth, national identification numbers, and outpatient medical records.
SingHealth first detected the breach on July 4, 2018, and promptly took steps to contain the incident and prevent further data exfiltration. The company notified Singapore's Cyber Security Agency (CSA) and the Ministry of Health, which then conducted a thorough investigation into the incident. The Committee of Inquiry (COI) appointed by the government determined that the attack was likely a state-sponsored cyber espionage operation, although the specific nation-state involved was not publicly disclosed.
The SingHealth data breach had significant repercussions for both the company and the broader healthcare sector in Singapore. In the wake of the incident, SingHealth faced intense scrutiny and criticism for its inadequate cybersecurity measures and failure to protect sensitive patient data. The company was fined SGD 250,000 (approximately USD 183,000) by Singapore's Personal Data Protection Commission for lapses in data security.
"Nation-state attacks have been increasing year by year, and they are going to continue to increase… We've been speaking about cyber-espionage for a long time, but now it's really here." -- Mikko Hyppönen, F-Secure
The incident also prompted a comprehensive review of cybersecurity practices across Singapore's public healthcare sector. As a result, the government established the Public Sector Data Security Review Committee (PSDSRC) to examine data security policies and practices and recommend improvements. Additionally, healthcare organisations in Singapore were urged to invest in better security technologies, enhance employee training, and implement more robust incident response plans to minimise the impact of future attacks.
The Committee of Inquiry (COI) report on the SingHealth data breach, which was released in January 2019, provided an in-depth analysis of the incident and offered recommendations to improve cybersecurity measures in Singapore's public healthcare sector. The key findings of the report are summarised as follows:
The attackers demonstrated advanced techniques and persistence: The COI found that the cyberattack was a carefully planned, targeted, and sophisticated operation, likely carried out by a nation-state-sponsored group. The attackers had a clear understanding of the SingHealth IT infrastructure and were persistent in their efforts to access and exfiltrate sensitive data.
SingHealth's IT systems had multiple vulnerabilities: The report identified several weaknesses in SingHealth's cybersecurity measures, including inadequate network segmentation, outdated software, insufficient monitoring of privileged user activities, and a lack of incident response plans.
The response to the breach was slow and uncoordinated: The COI found that there was a significant delay between the detection of the breach and the initiation of containment measures. Furthermore, the incident response was hampered by poor communication and coordination among the various stakeholders, including SingHealth's IT staff, the Integrated Health Information Systems (IHiS), and the Cyber Security Agency of Singapore (CSA).
The need for a culture of cybersecurity: The COI report emphasised that a strong culture of cybersecurity is essential for protecting sensitive information in the healthcare sector. This includes the need for continuous education and training, a proactive approach to identifying and addressing vulnerabilities, and fostering a sense of shared responsibility among all employees.
Based on these findings, the COI report made several recommendations to enhance cybersecurity in Singapore's public healthcare sector. These recommendations included strengthening the security of electronic medical records, improving network segmentation, enhancing monitoring and detection capabilities, implementing robust incident response plans, and cultivating a culture of cybersecurity awareness among healthcare professionals.
Mikko Hyppönen, a renowned cybersecurity expert and the Chief Research Officer of F-Secure, commented on the SingHealth data breach in an interview with Channel NewsAsia. Hyppönen discussed the significance of the incident and its implications for the cybersecurity landscape.
Hyppönen highlighted the increasing trend of nation-state sponsored attacks, stating, "Nation-state attacks have been increasing year by year, and they are going to continue to increase… We've been speaking about cyber-espionage for a long time, but now it's really here."
Regarding the SingHealth breach, Hyppönen emphasised the importance of learning from the incident and improving cybersecurity measures. He suggested, "The right way to react when a country gets hit by a nation-state attacker is not to panic… it's to learn from it, and prepare for the next attack, because there will be a next attack."
Universal Health Services (UHS) Ransomware Attack (2020)
The Universal Health Services (UHS) ransomware attack in September 2020 was a significant cybersecurity incident that affected a major American healthcare provider, resulting in widespread disruption to patient care and substantial financial losses. UHS operates over 400 facilities, including hospitals, behavioural health centres, and physician practices across the United States and the United Kingdom.
The attack was initiated by the Ryuk ransomware, which infiltrated UHS's network and began encrypting critical systems and files. The ransomware locked healthcare providers out of electronic health records (EHRs) and other essential systems, forcing many UHS facilities to revert to manual, paper-based processes. As a result, hospitals had to divert patients, delay treatments, and cancel surgeries, significantly impacting patient care.
In response to the attack, UHS quickly shut down its systems to prevent further damage and began working to restore the affected infrastructure. The company collaborated with cybersecurity experts, law enforcement agencies, and regulatory authorities to investigate the incident and develop a comprehensive recovery plan.
The financial impact of the UHS ransomware attack was substantial. The company reported a loss of $67 million, which included the cost of IT support, lost revenue, and expenses related to restoring affected systems and data. The attack also had repetitional consequences for UHS, raising questions about the organisation's cybersecurity preparedness and its ability to safeguard sensitive patient information.
Finnish Psychotherapy Centre Attack (2020)
In 2020, a Finnish psychotherapy centre, Vastaamo, experienced a particularly distressing data breach that exposed sensitive patient data, including therapy session notes, personal identification numbers, and contact information. The cybercriminals behind the attack not only targeted the centre itself but also sought to extort money from the affected patients by threatening to release their confidential therapy records publicly.
The attackers gained unauthorised access to Vastaamo's patient database and exfiltrated the data over an extended period. The breach was discovered in September 2020, with the cybercriminals demanding a ransom from Vastaamo in exchange for not releasing the stolen data. When the therapy centre refused to pay the ransom, the attackers took the unprecedented step of contacting individual patients and threatening to publish their private therapy notes if they did not pay the ransom themselves.
The breach caused significant distress for the affected patients, many of whom feared the public exposure of their most personal and sensitive information. The incident also had severe consequences for Vastaamo, leading to the resignation of the company's CEO and board members and, ultimately, the bankruptcy of the organisation.
Main Approaches to Reducing Cybersecurity Attacks
Employee Training and Awareness: Educating employees about cybersecurity risks, including phishing and social engineering attacks, is crucial for protecting sensitive data.
Regular Security Assessments: Conducting vulnerability assessments and penetration testing helps identify weaknesses in the system and potential areas of exploitation.
Multi-Factor Authentication (MFA): Implementing MFA adds an extra layer of security, making it harder for attackers to gain unauthorized access.
Robust Backup and Recovery Plans: Regular data backups and tested recovery plans can minimize the impact of ransomware attacks and reduce downtime.
Network Segmentation: Separating critical systems and data from other networks can limit the potential spread of an attack.
Research on Cybersecurity in Healthcare
Healthcare-specific research plays a crucial role in addressing the growing challenge of cybersecurity threats in the industry. Several key areas of research and development focus on understanding the unique aspects of the healthcare sector and finding effective solutions to safeguard sensitive patient data and ensure the continuity of patient care.
Medical device security: Medical devices, such as pacemakers, insulin pumps, and imaging equipment, are increasingly interconnected, creating potential vulnerabilities that cybercriminals can exploit. Research in this area explores techniques to enhance the security of these devices, including encryption, secure communication protocols, and robust access controls.
Electronic Health Record (EHR) security: EHRs contain sensitive patient information and are a prime target for cybercriminals. Research efforts are focused on developing improved security measures for EHRs, such as advanced encryption techniques, data anonymisation, and multi-factor authentication to protect patient data from unauthorised access.
Security awareness and training for healthcare professionals: Human error remains a significant factor in many cybersecurity incidents, making it essential to educate healthcare professionals about potential threats and best practices. Research in this area aims to develop effective training programs, simulations, and awareness campaigns to increase the cybersecurity knowledge of healthcare staff.
Secure telemedicine and remote patient monitoring: With the rise of telemedicine and remote patient monitoring, securing patient data transmitted over the internet has become increasingly important. Researchers are working on developing secure communication protocols, end-to-end encryption, and robust authentication methods to protect patient data during telemedicine consultations and remote monitoring.
Artificial Intelligence (AI) and Machine Learning (ML) for threat detection: AI and ML techniques are being explored to enhance the detection and response to cybersecurity threats in the healthcare sector. These technologies can help identify patterns and anomalies in network traffic, detect intrusions, and predict potential vulnerabilities, enabling healthcare organisations to respond more effectively to cyberattacks.
Privacy-preserving data sharing and analysis: Healthcare organisations often need to share patient data for research or collaboration purposes. Research in this area focuses on developing techniques that allow for secure data sharing and analysis while preserving patient privacy, such as federated learning, differential privacy, and homomorphic encryption.
Incident response and recovery strategies: Effective incident response and recovery plans are crucial in mitigating the impact of cybersecurity incidents in healthcare. Researchers are working on developing best practices, guidelines, and frameworks to help healthcare organisations respond to and recover from cyberattacks more efficiently and effectively.
In conclusion, the pervasive and severe nature of cybersecurity threats in the healthcare sector underscores the urgent need for a coordinated, robust, and comprehensive response. The healthcare industry's susceptibility to cyberattacks has far-reaching consequences, impacting not only the privacy and security of sensitive patient data but also the ability of healthcare providers to deliver timely and effective care.
The alarming increase in cyberattacks targeting healthcare organisations, as evidenced by numerous high-profile incidents, signals a disturbing trend that demands immediate attention. The rapid evolution of cyber threats necessitates continuous research and development to identify and implement effective countermeasures tailored to the unique challenges of the healthcare environment.
As this article has demonstrated, the stakes are extraordinarily high, and failure to address these threats adequately could have dire consequences. While researchers and healthcare professionals work tirelessly to develop and deploy effective security measures, it is incumbent upon healthcare organisations, government agencies, and the broader cybersecurity community to collaborate and share knowledge, expertise, and resources in a concerted effort to combat the relentless onslaught of cyber threats.
The sobering reality is that the healthcare industry will likely continue to face ever more sophisticated and persistent cyberattacks. As such, a proactive, multi-faceted, and collaborative approach to healthcare cybersecurity is not merely advisable; it is indispensable. In an age where cyber threats pose an existential threat to the healthcare sector, complacency is not an option. The future of patient privacy, trust in the healthcare system, and the very essence of patient care itself depends on our collective ability to confront and address the challenge of cybersecurity in healthcare.
DHHS USA: Top 10 Tips for Cybersecurity in Health Care
1. Establish a Security Culture
2. Protect Mobile Devices
3. Maintain Good Computer Habits
4. Use a Firewall
5. Install and Maintain Anti-Virus Software
6. Plan for the Unexpected
7. Control Access to Protected Health Information
8. Use Strong Passwords and Change Them Regularly 9. Limit Network Access
10. Control Physical Access
1. Establish a Security Culture
Security professionals are unanimous: The weakest link in any computer system is the user.
Researchers who study the psychology and sociology of Information Technology (IT) users have demonstrated time and again how very difficult it is to raise people’s awareness about threats and vulnerabilities that can jeopardize the information they work with daily. The tips in this document describe some ways to reduce the risk, decreasing the likelihood that patients’ personal health information will be exposed to unauthorized disclosure, alteration, and destruction or denial of access. But none of these measures can be effective unless the health care practice is willing and able to implement them, to enforce policies that require these safeguards to be used, and to effectively and proactively train all users so that they are sensitized to the importance of information security. In short, each health care practice must instill and support a security-minded organizational culture.
One of the most challenging aspects of instilling a security focus among users is overcoming the perception that “it can’t happen to me.” People, regardless of their level of education or IT sophistication, are alike in believing that they “will never succumb to sloppy practices or place patient information at risk. That only happens to other people.”
The checklists included in this document are one proven way to overcome the human blind spot with respect to information security. By following a set of prescribed practices and checking them each time, at least some of the errors due to overconfidence can be avoided. But checklists alone are not enough. It is incumbent on any organization where lives are at stake to support proper information security through establishing a culture of security. Every person in the organization must subscribe to a shared vision of information security so that habits and practices are automatic.
Security practices must be built in, not bolted on.
No checklist can adequately describe all that must be done to establish an organization’s security culture, but there are some obvious steps that must be taken:
Education and training must be frequent and ongoing.
Those who manage and direct the work of others must set a good example and resist thetemptation to indulge in exceptionalism.
Accountability and taking responsibility for information security must be among theorganization’s core values.
Protecting patients through good information security practices should be as second nature to the health care organization as sanitary practices.
2. Protect Mobile Devices
Mobile devices — laptop computers, handhelds, smartphones, portable storage media — have opened a world of opportunities to untether Electronic Health Records (EHRs) from the desktop. But these opportunities also present threats to information privacy and security. Some of these threats overlap those of the desktop world, but others are unique to mobile devices.
Because of their mobility, these devices are easy to lose and vulnerable to theft.
Mobile devices are more likely than stationary ones to be exposed to electromagnetic interference, especially from other medical devices. This interference can corrupt the information stored on a mobile device.
Because mobile devices may be used in places where the device can be seen by others, extra care must be taken by the user to prevent unauthorized viewing of the electronic health information displayed on a laptop or handheld device.
Not all mobile devices are equipped with strong authentication and access controls. Extra steps may be necessary to secure mobile devices from unauthorized use. Laptops should have password protection similar to the examples in Tip 8. Many handheld devices can be configured with password protection, and these protections should be enabled when available. If password protection is not provided, additional steps must be taken to protect electronic health information on the handheld, including extra precaution over the physical control of the device.
Laptop computers and handheld devices are often used to transmit and receive data wirelessly. These wireless communications must be protected from eavesdropping and interception (Tip 9 describes wireless network protection). Cybersecurity experts recommend not transmitting electronic health information across public networks without encryption.
Transporting data with mobile devices is inherently risky. There must be an overriding justification for this practice that rises above mere convenience. The U.S. Department of Health and Human Services (HHS) has developed guidance on the risks and possible mitigation strategies for remote use of and access to electronic health information.1
Where it is absolutely necessary to commit electronic health information to a mobile device, cybersecurity experts recommend that the data be encrypted. Mobile devices that cannot support encryption should not be used. Encrypted devices are readily obtainable at a modest cost — much less than the cost of mitigating a data breach.
If it is absolutely necessary to take a laptop containing electronic health information out of a secure area, you should protect the information on the laptop's hard drive through encryption.
Policies specifying the circumstances under which devices may be removed from the facility are very important, and all due care must be taken in developing and enforcing these policies. The primary goal is to protect the patient's information, so considerations of convenience or custom (e.g., working from home) must be considered in that light.
3. Maintain Good Computer Habits
The medical practitioner is familiar with the importance of healthy habits to maintain good health and reduce the risk of infection and disease. The same is true for IT systems, including EHR systems — they must be properly maintained so that they will continue to function properly and reliably in a manner that respects the importance and the sensitive nature of the information stored within them. As with any health regimen, simple measures go a long way.
But I Need to Work at Home
In today's increasingly mobile world, it is certainly tempting to use mobile technology to break away from the office and perform work from the comfort of home. Those who have responsibility for protecting patient information must recognize that this responsibility does not end at the office door. Good privacy and security practices must always be followed.
New computers and software packages are delivered with a dizzying array of options and little guidance on how to configure them so that the system is secure. In the face of this complexity, it can be difficult to know what options to permit and which to turn off. While a publication of this length cannot go into detail on this topic, there are some rules of thumb:
Uninstall any software application that is not essential to running the practice (e.g., games, instant message clients, photo-sharing tools). If the purpose of a software application is not obvious, look at the software company’s web site to learn more about the application’s purposes and uses. Also check with the EHR developer to see if the software is critical to the EHR’s function.
Do not simply accept defaults or “standard” configurations when installing software.
Step through each option, understand the choices, and obtain technical assistance where necessary.
Find out whether the EHR vendor maintains an open connection to the installed software (a “back door”) in order to provide updates and support. If so, ensure a secure connection at the firewall and request that this access be disabled when not in use.
Disable remote file sharing and remote printing within the operating system configuration. Allowing these could result in the accidental sharing or printing of files to locations where unauthorized individuals could access them.
Most software requires periodic updating to keep it secure and to add features. Vendors may send out updates in various ways, including automated downloads and customer-requested downloads.
Keeping software up-to-date is critical to maintaining a secure system, since many of these updates address newly found vulnerabilities in the product. In larger enterprises, this “patching” can be a daily task, where multiple vendors may issue frequent updates. In the small practice, there may not be the resources to continually monitor for new updates and apply them in good time. Small practices may instead wish to automate updates to occur weekly (e.g., use Microsoft Windows Automatic Update). However, practices should monitor for critical and urgent patches and updates that require immediate attention. Messages from vendors regarding these patches and updates should be monitored and acted upon as soon as possible.
Operating System (OS) Maintenance
Over time, an operational system tends to accumulate outdated information and settings unless regular maintenance is performed. Just as medical supplies have to be monitored for their expiration dates, material that is out-of-date on a computer system must be dealt with. Things to check include:
• User accounts for former employees are appropriately and timely disabled. If an employee is to be involuntarily terminated, disable access to the account before the notice of termination is served.
• Computers and any other devices, such as copy machines, that have had data stored on them are “sanitized” before disposal. Even if all the data on a hard drive has been deleted, it can still be recovered with commonly available tools. To avoid the possibility of an unintended data breach, follow the guidelines for disposal found in the National Institute of Standards and Technology (NIST) Special Publication 800-88 “Guidelines for Media Sanitation.”
• Old data files are archived for storage if needed, or cleaned off the system if not needed, subject to applicable data retention requirements.
How do you know if staff members have downloaded programs they are not supposed to?
There are several commercial applications and services (e.g., anti-malware and anti-virus programs) that can be set up to report or even stop the download of rogue/unapproved software. They can conduct vulnerability and configuration scans, and some applications/services can conduct general security audits as well (e.g., other technical, administrative, and physical safeguards). Work with your IT team or other resources to perform malware, vulnerability, configuration, and other security audits on a regular basis.
4. Use a Firewall
Unless a small practice uses an EHR system that is totally disconnected from the Internet, it should have a firewall to protect against intrusions and threats from outside sources. While anti-virus software will help to find and destroy malicious software that has already entered, a firewall's job is to prevent intruders from entering in the first place. In short, the anti-virus can be thought of as infection control while the firewall has the role of disease prevention.
A firewall can take the form of a software product or a hardware device. In either case, its job is to inspect all messages coming into the system from the outside (either from the Internet or from a local network) and decide, according to pre-determined criteria, whether the message should be allowed in.
Configuring a firewall can be technically complicated, and hardware firewalls should be configured by trained technical personnel. Software firewalls, on the other hand, are often pre-configured with common settings that tend to be useful in many situations. Software firewalls are included with some popular operating systems, providing protection at the installation stage. Alternatively, separate firewall software is widely available from computer security vendors, including most of the suppliers of anti-virus software. Both types of firewall software normally provide technical support and configuration guidance to enable successful configuration by users without technical expertise.
When should a hardware firewall be used?
Large practices that use a Local Area Network (LAN) should consider a hardware firewall. A hardware firewall sits between the LAN and the Internet, providing centralized management of firewall settings. This increases the security of the LAN, since it ensures that the firewall settings are uniform for all users.
If a hardware firewall is used, it should be configured, monitored, and maintained by a specialist in this subject.
5. Install and Maintain Anti-Virus Software
The primary way that attackers compromise computers in the small office is through viruses and similar code that exploits vulnerabilities on the machine. These vulnerabilities are ubiquitous due to the nature of the computing environment. Even a computer that has all of the latest security updates to its operating system and applications may still be at risk because of previously undetected flaws. In addition, computers can become infected by seemingly innocent outside sources such as CDs, email, flash drives, and web downloads. Therefore, it is important to use a product that provides continuously updated protection. Anti-virus software is widely available, well-tested to be reliable, and costs relatively little.
After implementation of EHRs, it is important to keep anti-virus software up-to-date. Anti-virus products require regular updates from the vendor in order to protect against the newest computer viruses and malware. Most anti-virus software automatically generates reminders about these updates, and many are configurable to allow for automated updating.
Without anti-virus software, data may be stolen, destroyed, or defaced, and attackers could take control of the machine.
How can users recognize a computer virus infection?
Some typical symptoms of an infected computer include:
- System will not start normally (e.g., “blue screen of death”)
- System repeatedly crashes for no obvious reason
- Internet browser goes to unwanted web pages
- Anti-virus software does not appear to be working
- Many unwanted advertisements pop up on the screen
- The user cannot control the mouse/pointer
6. Plan for the Unexpected
Sooner or later, the unexpected will happen. Fire, flood, hurricane, earthquake, and other natural or man-made disasters can strike at any time. Important health care records and other vital assets must be protected against loss from these events. There are two key parts to this practice: creating backups and having a sound recovery plan.
In the world of business, creating a backup is routine. In the small practice, however, it may be that the staff members are only familiar with a home computing environment, where backups are rarely considered until a crash happens, by which time it is too late. From the first day a new EHR is functioning in a practice, the information must be backed up regularly and reliably. A reliable backup is one that can be counted on in an emergency, so it is important not only that all the data be correctly captured, but that it can quickly and accurately be restored. Backup media must be tested regularly for their ability to restore properly.
Whatever medium is used to hold the backup (e.g., magnetic tape, CD, DVD, removable hard drive), it must be stored safely so that it cannot be wiped out by the same disaster that befalls the main system. Depending on the local geography or type of risk, this could mean that backups should be stored many miles away. One emerging option for backup storage is cloud computing, which may be a viable option for many, since it involves no hardware investment and little technical expertise. However, cloud backup must be selected with care. The backed-up data must be as secure as the original.
Critical files can be manually copied onto backup media, although this can be tedious and potentially error-prone. If possible, an automated backup method should be used.
Some types of backup media are reusable, such as magnetic tape and removable hard drives. These media can wear out over time and after multiple backup cycles. It is especially important to test them for reliable restore operations as they age.
Storage of backup media must be protected with the same type of access controls as described in Tips 7 and 10. The Contingency Planning Safety Assurance Factors for EHR Resilience (SAFER) Guide identifies recommended safety practices associated with planned or unplanned EHR unavailability.
Recovery planning must be done so that when an emergency occurs, there is a clear procedure in place. In a disaster, it is possible that health care practices will be called upon to supply medical records and information rapidly. The practice must be prepared to access their backups and restore functionality, which requires knowledge about what data was backed up, when the backups were done (timeframe and frequency), where the backups are stored, and what types of equipment are needed to restore them. If possible, this information must be placed for safekeeping at a remote location where someone has responsibility for producing it in the event of emergency.
Is it OK to store my backup media at home?
A fireproof, permanently installed home safe, which only the health care provider knows the combination for, may be the most feasible choice for many practices to store backup media. This would not place the backup out of the danger zone of a widespread disaster (earthquake, hurricane, nuclear), but it would provide some safety against local emergencies such as fire and flood. Fireproof portable boxes or safes where non-staff have the combination are inadequate.
7. Control Access to Protected Health Information
To minimize the risk to electronic health information when effectively setting up EHR systems,
Tip 8 discusses the importance of passwords. The password, however, is only half of what makes up a computer user’s credentials. The other half is the user’s identity, or user name. In most computer systems, these credentials (user name and password) are used as part of an access control system in which users are assigned certain rights to access the data within. This access control system might be part of an operating system (e.g., Windows) or built into a particular application (e.g., an e-prescribing module); often both are true. In any case, configure your EHR implementation to grant electronic health information access only to people with a “need to know.”
For many situations in small practices, setting file access permissions may be done manually, using an access control list. This can only be done by someone with authorized rights to the system. Prior to setting these permissions, it is important to identify which files should be accessible to which staff members.
Additional access controls that may be configured include role-based access control, in which a staff member’s role within the practice (e.g., physician, nurse, billing specialist) determines what information may be accessed. In this case, care must be taken to assign staff to the correct roles and then to set the access permissions for each role correctly with respect to the need to know.
The combination of regulations and the varieties of access control possibilities make this one of the more complex processes involved in setting up an EHR system in the small practice.
What if electronic health information is accessed without permission?
Under certain circumstances, such an incident is considered a breach that has to be reported to HHS (and/or a state agency if there is such a requirement in the state’s law). Having good access controls and knowledge of who has viewed or used information (i.e., access logs) can help to prevent or detect these data breaches.
8. Use Strong Passwords and Change Them Regularly
Passwords are the first line of defense in preventing unauthorized access to any computer. Regardless of type or operating system, a password should be required to log in. Although a strong password will not prevent attackers from trying to gain access, it can slow them down and discourage them. In addition, strong passwords, combined with effective access controls, help to prevent casual misuse (e.g., staff members pursuing their personal curiosity about a case even though they have no legitimate need for the information).
Strong passwords are ones that are not easily guessed. Since attackers may use automated methods to try to guess a password, it is important to choose a password that does not have characteristics that could make it vulnerable.
Strong passwords should not include:
• Words found in the dictionary, even if they are slightly altered (e.g., replacing a letter with a number)
• Personal information such as birth date; names of self, family members, or pets; social security number; or anything else that could easily be learned by others. Remember: If a piece of information is on a social networking site, it should never be used in a password.
Below are some examples of strong password characteristics:
- At least eight characters in length (the longer the better)
- A combination of upper case and lower case letters, one number, and at least one special character, such as a punctuation mark
Finally, systems should be configured so that passwords must be changed on a regular basis. While this may be inconvenient for users, it also reduces some of the risk that a system will be easily broken into with a stolen password.
Passwords and Strong Authentication
Strong, or multi-factor, authentication combines multiple different authentication methods, resulting in stronger security. In addition to a user name and password, another authentication method is used (e.g., a smartcard, key fob, or fingerprint or iris scan).
Under federal regulations permitting e-prescribing of controlled substances, multi-factor authentication must be used.
What about forgotten passwords?
Anyone can forget a password, especially if the password is long. To discourage people from writing down their passwords and leaving them in unsecured locations, plan for password resetting.
This could involve 1) allowing two different staff members to be authorized to reset passwords; or 2) selecting a product that has built-in password reset capabilities.
9. Limit Network Access
Ease of use and flexibility make contemporary networking tools very appealing. Web 2.0 technologies like peer-to-peer file sharing and instant messaging are popular and widely used. Wireless routing is a quick and easy way to set up broadband capability within a home or office. However, because of the sensitivity of health care information and the fact that it is protected by law, tools that might allow outsiders to gain access to a health care practice’s network must be used with extreme caution.
Wireless routers that allow a single incoming Internet line to be used by multiple computers are readily available for less than $100. For the small practice that intends to rely on wireless networking, special precautions are in order. Unless the wireless router is secured, its signal can be picked up from some distance away, including, for example, the building’s parking lot, other offices in the same building, or even nearby homes. Since electronic health information flowing over the wireless network must be protected by law, it is crucial to secure the wireless signal so that only those who are permitted to access the information can pick up the signal. Wireless routers must be set up to operate only in encrypted mode.
Devices brought into the practice by visitors should not be permitted access to the network, since it is unlikely that such devices can be fully vetted for security on short notice. Setting up a network to safely permit guest access is expensive and time-consuming, so the best defense is to prohibit casual access. When a wireless network is configured, each legitimate device must be identified to the router, and only then can the device be permitted access.
Peer-to-peer applications, such as file sharing and instant messaging, can expose the connected devices to security threats and vulnerabilities, including permitting unauthorized access to the devices on which they are installed. Check to make sure peer-to-peer applications have not been installed without explicit review and approval. It is not sufficient to just turn these programs off or uninstall them. A machine containing peer-to-peer applications may have exploitable bits of code that are not removed even when the programs are removed.
A good policy is to prohibit staff from installing software without prior approval.
10. Control Physical Access
Not only must assets like files and information be secured; the devices themselves that make up an EHR system must also be safe from unauthorized access. The single most common way that electronic health information is compromised is through the loss of devices, whether this happens accidentally or through theft. Incidents reported to the Office for Civil Rights show that more than half of all these data loss cases consist of missing devices, including portable storage media (e.g., thumb or flash drives, CDs, or DVDs), laptops, handhelds, desktop computers, and even hard drives ripped out of machines, lost and stolen backup tapes, and entire network servers.
Should a data storage device disappear — no matter how well an office has taken care of its passwords, access control, and file permissions — it is still possible that a determined individual could access the information on it. Therefore, it is important to limit the chances that a device may be tampered with, lost, or stolen.
Securing devices and information physically should include policies limiting physical access, e.g., securing machines in locked rooms, managing physical keys, and restricting the ability to remove devices from a secure area.
Where should I place my server that stores electronic health information?
When considering where to locate a server containing electronic health information (such as within an EHR), two main factors should be considered: physical and environmental protection. Physical protection should be focused on preventing unauthorized individuals from accessing the server (e.g., storing the server in a locked room accessible only to staff). Environmental protections should focus on protecting the server from fire, water, and other elements (e.g., never store a server in a restroom; instead store the server off the floor, away from water and windows, and in a temperature-regulated room).