Cyber Vulnerability in Health Care Part II: Prevention and Response
Cyber Vulnerability in Health Care Part II: Prevention and Response
by Greta Kviklyte
Life Saver, AMC
Co-authored by Kim Murray, RN, M.S.
posted on Aug 2, 2017, at 11:25 pm
THERE WAS A TIME WHEN CYBERSECURITY IN HEALTH CARE FACILITIES WAS THOUGHT TO BE OUT-OF-BOUNDS FOR HACKERS. As a result, health care organizations did not view cybersecurity through victims’ eyes, meaning preparation and response were last on their radars. However, the new age of medicine, heavily reliant on the internet and connectivity, has led to multiple attacks on this vulnerable industry, reports ABC News. In addition, according to E. Todd Bennett via Becker’s Health IT and CIO Review, a 2016 study on the cybersecurity of health care organization found nearly all responding entities suffered at least one cyber attack per month.
This information is astounding, and it means your organization has probably been hit before. You may not have even known about it. But, you have the upper hand. You can identify cyber vulnerabilities in your organization, and you can work to prevent them from becoming cyber attacks. More importantly, your organization can take charge if an attack occurs and minimize the damage it causes. But first, you need to know what the Health Care Industry Cybersecurity Task Force (HCICTF) recommends for health care organizations just getting started on their cybersecurity initiatives.
Recommendations for Cybersecurity in Health Care Organizations
Imperative Four of the HCICTF addresses readiness through awareness and education in the health care industry. It includes the following actions:
- Health care organizations must develop education programs, targeting executive-level leadership, including stakeholders, managerial staff and department heads, that increase awareness and education about cybersecurity in the organization. Furthermore, the executive-level program must ensure a consistent message relating to cybersecurity. For example, some organizations may consider using Federal Trade Commission (FTC) cybersecurity education resources or DHS Stop.Think.Connect. programs.
- Next, the organization must establish a means of tracking and managing cybersecurity strength and weaknesses within the system. Moreover, this step must include monitoring of both organization-wide and personal activities, the websites and pages visited by staff members when using company systems or devices.
- Using the information derived in step two, a health care organization must create a means of controlling traffic and access habits that fall outside of the employee’s direct responsibilities. In other words, firewalls and other standards need to be created to prevent users from visiting sites with a known or suspected history of giving malware access to your system, like illicit file-sharing sites. This may also apply to accessing personal email or other personal systems, even including popular cloud systems, like Google Drive, unless authorized for the express purpose of performing work and continuing care.
- Information and systems used to create standardized cybersecurity systems for health care organizations should also be available to health care organizations, regardless of size of location. For example, if your facility works with smaller health care providers in rural areas, you have a vested interest in ensuring the other facility learns about its cyber vulnerability and increases its cybersecurity measures. Obviously, you would not want to pay for such improvements, but you should at least increase awareness and offer direction or referral to appropriate cybersecurity firms, vendors or resources.
- The application of Step Four also extends across various levels of government. As a result, it is not necessarily a recommendation, but it does imply a need to stay vigilant over future resource availability from local, state and federal agencies involved in health care cybersecurity.
- Provide information to patients regarding their health care data storage, security, access and accountability. This step puts control of patient data back in the hands of patients, reducing risk inherent in patient-facing portals and access points to your system.
These recommendations have a common theme of reducing the cyber vulnerability in your organization, but you still need to know how to leverage them to prevent an attack.
How to Prevent a Cyber Attack in Your Organization
Unfortunately, there is not a definitive solution to preventing cyber attacks. Also, a cyber attack does not have to be successful to still be an attack. It can simply be a penetration attempt. As a result, it is important to respond to any penetration attempt as if it were an authentic attack until proven otherwise. Most importantly, health care organizations can take steps to prevent a cyber attack and its fallout by taking a few steps to protect patient and facility data and systems, reports E. Todd Bennett via Becker’s Health IT and CIO Review.
1. Acknowledge Your Organization’s Risk
Cyber security in health care is a topic where ignorance is not bliss. Acknowledge your organization’s risk, and start working to identify its vulnerabilities. This may include poor authentication systems, unsecured devices and access points, and past issues involving cyber attacks or cyber vulnerabilities.
2. Create a Back-Up Data Storage System
Next, you need a back-up storage system. This is not a physical, printed copy of files; it is a total rendering of all recent patient and system data that is collected and stored periodically in a second location. In most instances, cloud-based systems can automatically back up and retrieve data as needed. As a result, you may consider working with your internet provider or cybersecurity team to select a back-up solution.
3. Create a “Gold Image” of Your Systems’ Skeletons
Similar to actual data back-ups, you need a back-up of your system’s settings, operating files and configurations. One of the simplest ways of achieving this is through the creation of a “Gold Image.” Named after the term, system image on Microsoft operating platforms, a “Gold Image” acts as a storage point for all system settings if an attack occurs. It restores the system to its clean state, but it lacks the patient-specific data found in your back-up system. As a result, you need both a back-up for data and a “Gold Image” plan in place.
4. Create a Cyber Attack Response Plan
The cyber attack response plan should be a subset of your emergency response plan. However, creating a plan from scratch means looking at everything and finding a way around it in the event of an attack. Rather than trying to assess your systems internally, it is best to work with an outside cybersecurity vendor. This is even more important if your internal IT department’s cybersecurity credentials are lacking.
5. Review the Credentials of Your Internal IT Department’s Cybersecurity Team Members
The majority of health care organizations lack qualified cybersecurity personnel in internal departments. This means that individuals working as cybersecurity personnel may have been grandfathered into their roles or act as IT professionals. However, cybersecurity is a field in a constant state of flux, and all cybersecurity team members should have appropriate credentials, including a degree or certification in IT and cybersecurity. Furthermore, cybersecurity team members should also undergo frequent, routine training to ensure they understand the latest risks and information available regarding cybersecurity in health facilities.
6. Work With Accredited, Known Cybersecurity Vendors
The fastest way to create a cyber vulnerability in your organization is by working with unaccredited, cybersecurity vendors. Your vendor should have a reputable history of its services, and it should offer information, including benchmarking reports, of its current subscribers. In other words, if you haven’t heard of the company before, do not make a last-minute decision to work with that vendor.
7. Test Your Cybersecurity Plans
All cybersecurity plans require testing. This is similar to mock attack identified in Part I, but it should be an organization-wide effort. Conduct the mock attack by announcing it to all personnel. When trained properly, team members should log off system devices and computers and report to their supervisors for additional information. In addition, your cybersecurity vendor may conduct penetration testing through a “simulated hack” on your system to ensure it stops the “threat.”
8. Review Your Test Results for Areas in Need of Improvement
Any areas that do not adhere to your cyber security plan, including employee actions, should be discussed and reviewed after testing. This allows all team members to learn more about their roles in preventing an attack. More importantly, include the results of cybersecurity tests in staff meetings or in-services.
9. Educate Your Staff Members and Other Health Care Professionals Using Your System, Equipment or Networks
Emphasize importance of passwords, two-factor authentication, awareness of fishing emails, limited data access, accessing data only on a need-to-know basis, not unlike the standards in the Health Insurance Portability and Accountability Act (HIPAA), and proper communication channels, asserts Kristen Lee of Tech Target.
10. Educate Patients About Cybersecurity Accessing Health Records or Systems, “Patient Portals”
Another factor in prevention is education patients about cybersecurity when accessing their health records. For example, advise patients to only access the system on secure networks, like those in their homes, and avoid accessing any personal information when connected to a public network.
11. Build Redundancy Into Your Health Systems
Your systems should have redundancy built into their foundations. In other words, if a computer goes down, you need to have the ability to access its records remotely. Furthermore, any cybersecurity measures, like anti-virus software, should be subject to multiple check-points and firewalls.
12. Use Metrics to Track the Performance and Benefits of Your Cybersecurity Vendor
Using a cybersecurity vendor is only half the battle. Track the performance and benefits of your current vendor-client partnerships. This includes the number of cyber penetrations attempted, number of blocked penetrations and actual cyber penetrations that were stopped before causing additional damage or accessing confidential data and systems.
13. Remove Nonessential Data, and Improve Data Quality
Consumers should have confidence in the data stored by their health care providers. Remove all nonessential data from electronic health records (EHRs), like social security numbers and financial data. In addition to reducing risk, this step improves data quality and reduces the amount of storage space needed.
14. Repeat “Steps 1-13” Annually and Thoroughly
The last step to prevention is simple. Revisit the previous steps at least once every year and following an attack. It may also be appropriate to complete these steps after major cyber attacks occur in the U.S. and around the globe, even if they do not impact your organization directly.
What to Do Following a Health Care Cyber Attack
There is a profound sense of fear and panic that can set in after a cyber attack. Patient appointments may be cancelled, and your ability to provide care can be impeded. But, it is important to stay calm and follow predetermined steps if an attack occurs.
1. Do Not Pay the Ransom
In 2016, a ransomware attack occurred on a Kansas hospital, locking caregivers out of their systems, reports Bill Siwicki of Healthcare IT News. With no course of action in sight, the hospital’s executives made the decision to pay the ransom. Unfortunately, the attackers refused to unlock the systems, and they demanded more money.
This event showcases why paying the ransom is unacceptable. Never pay a ransom during a cyber attack.
2. Report the Attack to the Authorities Immediately
Report the attack to your cybersecurity vendor, cybersecurity team and appropriate authorities as soon as it appears to have impacted your system. Getting the ball moving faster can help authorities locate the source of attack and stop it before it damages your system and data.
3. Activate Your Emergency Response Plan
Your emergency response plan should also have a series of steps defining specific actions to take in the event of a cyber attack. Due to its impact on your ability to provide care and services, this may include putting your facility on diversion for non-emergencies.
4. Stop All Employees, Patients and Other Users From Accessing the System
If you have a “Gold Image” and data backup, it may be time to lock the system entirely and use the “Gold Image” to restore the system to its pre-attack state. Then, you will need to restore data from the system back-up location, and depending on the devices and systems used, this process may need to be completed on computers and systems individually.
5. Work With Your Cybersecurity Vendor to Prevent a Future Attack
Your cybersecurity vendor will be an invaluable resource to enhancing your organization’s cybersecurity to make it stronger. Work with your vendor to identify as much information as possible, including ways you can work to prevent a future attack.
6. Gather Proof of Preparatory Measures Taken Prior to the Attack
If patient or employee data is stolen during the attack, your organization could be liable for damages incurred if you had unsatisfactory cybersecurity measures in place. Keep all proof of preparatory measures taken ready, and acknowledge the possibility of a legal filing. In addition, your organization may consider purchasing cybersecurity insurance, similar to business liability insurance, to cover any losses covered by persons-served.
7. Be Transparent With People Affected by the Hack, Including Their Data
However, only individuals designated with the authority to speak about the attack should do so. While you may not be able to stop patients from discussing how it impacted them, you need to reduce the number of employees discussing the incident with the media. This is also essential to limiting the exposure of employee data as the hack progresses.
8. Implement New Cybersecurity Standards to Isolate and Eliminate the Vulnerability
After analyzing a cyber attack, implement new cybersecurity standards immediately. This will help you isolate additional vulnerabilities and prevent future attacks.
9. Conduct Training With Staff Members to Review the Attack, What Went Wrong and How to Prevent It From Recurring
Training is essential to ensuring staff members understand how they can help prevent cyber attacks and keep information secure. Conduct training with all staff members following an attack, and create a cybersecurity training schedule, if you do not have one already, that coincides with other annual training programs, like Bloodborne Pathogens or Basic Life Support (BLS) courses.
Tackle Cyber Vulnerabilities Now
The next cyber attack on your organization is coming, and it may have already hit. By learning why and how health care organizations are affected by cyber vulnerabilities and attacks, you can do something to prevent them. Use the information in this two-part series to spread awareness in your organization, and make sure everyone understands that maintaining cybersecurity is an effort only possible through collaboration and education.
One last thing—do not click on that email requesting your passwords!