Guest post by Craig Musgrave, senior vice president, information technology, The Doctors Company.
Healthcare entities remain the top target for cyber criminals. Not only do over 50 percent of all cyberattacks occur in the healthcare industry, but there have been 4,000 daily ransomware attacks—focused mostly on healthcare entities—since early 2016, a 300 percent increase over the 1,000 daily attacks in 2015.[i]
All types of organizations must take steps to ensure they are protected. The following are six questions you should ask your IT department to evaluate your cybersecurity readiness, and some answers to these perplexing problems most industries face today.
Does our organization use a security framework?
The National Institute of Standards and Technology Cybersecurity Framework is voluntary guidance, based on existing standards, guidelines, and practices, for critical infrastructure organizations to better manage and reduce cybersecurity risk.
The Framework will help an organization to better understand, manage, and reduce its cybersecurity risks. It will assist in determining which activities are most important to ensure critical operations and service delivery. In turn, that will help to prioritize investments and maximize the impact of each dollar spent on cybersecurity.
What are the top risks I should worry about?
Human interaction: Over 80 percent of attacks are made possible by human error or human involvement, such as downloading malicious files, clicking on malicious links, or running unknown USB on computer systems. You need to provide security training for all employees and maintain constant employee awareness of the risks. There should also be a significant investment in security solutions that can help prevent damage if an employee action leads to an attack.
Technology vulnerabilities: Vulnerabilities in your defenses may be known—or newly discovered when an attack happens. Invest in tools that scan for hardware and software vulnerabilities and invest in IT staff to constantly update and patch software.
External intruders: Addressing non-stop attempts to access your network through unsecured or vulnerable access points involves investing in technologies and strategies like multi-factor authentication, advanced firewalls, web application firewalls, external monitoring, and penetration tests.
Data loss: Protected health information (PHI) could be lost through an unapproved employee data transfer. Invest in tools that encrypt data-in-transit and educate employees on proper data transfer procedures.
Delayed detection: This is the inability to detect an intrusion due to an unknown vulnerability, misconfigured technology, or employee error. Invest in constant IT training on event management, security threat detection, incident response, and technology configuration. Execute threat simulations (penetration tests) and do a continual review of system configurations.
Attacks through privileged accounts: Hackers try to gain access to privileged accounts—such as domain admin, database admin, or external vendors—to reach secure areas within computer networks. For example, the major Target hack occurred when an employee of Target’s third-party HVAC vendor responded to a spear phishing e-mail. The utilization of Privileged Account Management systems enables one-use passwords for evaluated accounts.
The use of electronic medical records (EMRs) is increasing liability risks for physicians. We have not yet seen the full impact of EMRs, because cases take three to four years to be filed from the time of the adverse event. However, we are beginning to see data that show EMRs are a contributing factor in malpractice suits.
In a study by The Doctors Company of 97 EMR-related closed claims from 2007 to 2014, user factors contributed to 64 percent of claims, while system factors contributed to the remaining 42 percent. EMRs can result in a weak defense by casting the user—the physician—in an unfavorable light.
In a recent presentation I gave at HIMSS, I outlined malpractice cases that involved EMRs that resulted in cumulative awards of more than $30 million and reviewed areas where EMRs present the greatest risks.
Risk 1: Copy-and-Paste
Copying and pasting previously entered information can perpetuate any prior mistakes or fail to document a changing clinical situation. In The Doctors Company study, 13 percent of cases involved pre-populating/copy-and-paste as a contributing factor. While it may be OK to use the copy-and-paste function to save time, whatever is pasted must also be edited to reflect the current situation. Similar to copy-and-paste is the practice of using templates. Some of the biggest pitfalls in these two functions are lack of individualized information on the patient, gender confusion, lengthy notes for each encounter that look like they have been enhanced by the computer, lots of blanks, repeated typos and other errors, and use of similar phrases sequentially.
Risk 2: Informed Consent
Physicians must take care to capture the electronic signature of the patient when loading an informed consent into the EMR. Make certain the signature is legible. Also check to be sure the scanned document is in the record and that the informed consent is documented in the notes.
The following is from a case that involved problems with informed consent in the EMR:
What must be done before you walk out of the office for the last time before the stroke of midnight Jan. 1, 2015? It’s a simple question with many possible responses. Each healthcare organization, based on its needs and priorities likely has a fix what it needs to do, though, perhaps those things are not necessarily what it wants to do. Like people, the final couple weeks of the year are different for everyone and practices are no different.
So, if you’re making a list and checking it twice, here are a few suggestions that you might want to add to it to be well prepared for the new year, based on your practice’s business needs, of course.
Review the ONC Federal Health IT Strategic Plan
At Health Data Consortium, we have three must-do items before we close the door to 2014. First, we urge the health IT community to review the recently released ONC Federal Health IT Strategic Plan 2015-2020. Public comments are open until February 6, but don’t let your response get lost in the start of the year flurry. Second, we are preparing for the arrival of the 114th Congress and the opportunity to share Health Data Consortium’s public policy platform for 2015. Our platform will have an emphasis on the key issues that affect data accessibility, data sharing and patient privacy – all critical to improving health outcomes and our healthcare system overall. Finally, on January 1 we’ll be only 150 days from Health Datapalooza 2015. We are kicking off the new year and the countdown to Health Datapalooza with keynote speakers and sessions confirmed on a daily basis. We’re already making the necessary preparations to gather the innovators who are igniting the open health data revolution. As 2014 comes to a close, we look forward to hit the ground running in 2015.
Ideally, turn off not only your lights, but everything — I mean every piece of digital technology and every way digital technology can connect to your organization. That is the only way to assure there are no accidents, glitches, failures or breaches. Here are some other things you can do:
• Fill every open position you can. Have positions and people identified and include backups. The only thing worse than not having a position to fill is having one to fill and leaving it open.
• Address mobility, medical devices and patient engagement, and not just from a security perspective — this is everyone who provides access, information or uses these devices or systems.
• Address the culture and have a plan to include every individual in the organization, if the technology touches them, from BYOD to analytics to privacy to cloud storage.
IT, regardless of the industry, is ultimately about people. In healthcare, it is also about the data itself, which represents your patients. It has to be there, it has to work, it has to be secure.
— David Finn, CISA, CISM, CRISC, is a member of ISACA’s Professional Influence and Advocacy Committee, and the Health Information Technology Officer for Symantec