• Blog
  • Services
    • PHIshMD Ongoing Training
    • HIPAA Compliance
    • Discover Vulnerabilities to Patient PHI
  • Store
    • HIPAA Secure Now Service Store
  • Contact Us
    • Sales Inquiry
    • Customer Support
  • Resources
    • Free Healthcare Security Check Up Quiz
    • HIPAA Compliance Requirements | A Guide
    • Webinars & Downloadable Content
    • Use our free Breach Cost Calculator
    • HIPAA Secured Seal
    • In-Email Training & Analysis | Catch Phish

Call us at: 877-275-4545

Client or Partner? Login here
HIPAA Secure Now!HIPAA Secure Now!
  • Blog
  • Services
    • PHIshMD Ongoing Training
    • HIPAA Compliance
    • Discover Vulnerabilities to Patient PHI
  • Store
    • HIPAA Secure Now Service Store
  • Contact Us
    • Sales Inquiry
    • Customer Support
  • Resources
    • Free Healthcare Security Check Up Quiz
    • HIPAA Compliance Requirements | A Guide
    • Webinars & Downloadable Content
    • Use our free Breach Cost Calculator
    • HIPAA Secured Seal
    • In-Email Training & Analysis | Catch Phish

An Analysis of Cybersecurity Practices in Healthcare

July 9, 2019 Posted by Art Gross Security No Comments

A recent report by KLAS and CHIME looked at the cybersecurity practices of healthcare providers based on recent guidance issued on the subject. The results? Although some best practices seem to be on the radars of organizations of all sizes, overall findings suggest that small practices have some work to do.

In their white paper, KLAS and CHIME look at a document recently released by the 405(d) Task Group, which was put together by the Department of Health and Human Services (HHS) following the Cybersecurity Act of 2015. The document “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients”, outlines 10 cybersecurity practices that organizations should focus their attention on.

10 Cybersecurity Practices

  1. Email Protection Systems
  2. Endpoint Protection Systems
  3. Access Management
  4. Data Protection and Loss Prevention
  5. Asset Management
  6. Network Management
  7. Vulnerability Management
  8. Incident Response
  9. Medical Device Security
  10. Cybersecurity Policies

KLAS and CHIME used responses from over 600 providers gathered in the 2018 Healthcare’s Most Wired survey to assess how healthcare organizations are doing in their adoption of these cybersecurity best practices.

How are organizations doing with their adoption of cybersecurity practices and how can you improve yours?

Below are the key findings laid out by KLAS and CHIME on how organizations are doing with the 10 cybersecurity practices recommended by the Task Group.

  1. Email Protection Systems – Practices of all sizes seem to be doing well with their email protection, with most organizations having deployed email protection systems.
  • Are you protecting your email? Email protection includes filtering and encryption services to help keep attackers out. With email being the most common attack vector, protecting it is critical, but only one component of keeping attackers at bay when it comes to email threats. Along with technology protections, organizations should be providing simulated phishing to strengthen employee awareness and prevent a successful phishing attack or ransomware attempt.
  1. Endpoint Protection Systems – Similar to email protections, practices of all sizes are also doing well with deploying endpoint protection systems. It is worth noting however, that 20% of small organizations have not implemented an intrusion-detection and prevention system (IDPS), an important first line of defense in endpoint protection.
  • Are you protecting your endpoints? With mobility becoming more common in the workplace, it’s critical to ensure that ALL endpoints are properly protected. Endpoint protection includes antivirus, encryption, mobile device management (MDM), and more.
  1. Access Management – Most organizations stated that they have adopted access management policies, however, less than half of small organizations have implemented multifactor authentication (MFA). There has been little adoption for adaptive/risk-based authentication for organizations of all sizes.
  • Are you managing access? Managing user access is critical, especially in the healthcare industry. As cybercriminals continue to target healthcare, they will continue trying to crack employees’ credentials, send phishing emails, etc. It is important to make it difficult for attackers to get in, thus implementing controls like MFA is critical.
  1. Data Protection and Loss Prevention – Data loss prevention (DLP) tools are in place for most organizations, including 70% of small organizations. All organizations stated that they back up their data, however, the majority do so offsite rather than in the cloud.
  • Are you addressing data protection and loss prevention? Patient data must be shared securely, meaning that data must always be protected including at rest, in use, and in motion. Policies and procedures should be in place to address this process, which is a basis for DLP. Encrypting your data and ensuring you have backups available is essential for businesses of all sizes.
  1. Asset Management -The survey collected little information when it comes to how organizations are managing their assets, however, almost all respondents said they are properly disposing of devices with PHI.
  • Are you managing your assets? Knowing what devices are used within your organization is extremely important, however, simply tracking what devices you’ve purchased is no longer enough. Organizations should know what operating system their devices are running, MAC and IP addresses, locations, patching information and more. Policies should be in place that outline how you’re managing assets, including how you’re properly disposing of them when the time comes.
  1. Network Management – Nearly all organizations have network access controls (NAC) to monitor devices that are connected to the network. Organizations are doing well with firewalls and device security, which are widespread, however less than half of small organizations reported having their networks segmented.
  • Are you managing your networks? Managing your network is incredibly important at keeping cybercriminals out. It is absolutely necessary for all organizations regardless of size to have their networks properly segmented, that way if an attack were to occur it would not spread to the entire network. In addition, protecting your network with firewalls and device security should be a top priority.
  1. Vulnerability Management – 90% of large organizations are running vulnerability scans at least quarterly, while only 60% of small and medium-sized businesses are doing the same. Despite the Task Group recommending large organizations run penetration tests, small organizations are more likely to do so. Some small organizations reported that resource constraints prevent them from involving multiple business units in their remediation.
  • Are you managing your vulnerabilities? Vulnerability scans will look for and identify vulnerabilities found within your organization. Adding in penetration testing through internal or external teams will also help you with your vulnerability management, allowing for a deeper look at your vulnerabilities. Policies should be implemented so that after you have conducted a vulnerability scan, you will be prepared to prioritize and remediate the identified vulnerabilities.
  1. Incident Response – Most organizations have an incident response plan in place, however only half of them conduct an annual enterprise-wide test to see if that plan is successful.
  • Do you have an incident response plan? Having an incident response plan is yet another crucial cybersecurity practice for organizations of all sizes. This plan should include policies and procedures for handling an incident, quickly and efficiently isolating and mitigating security events, how to handle breach notifications, etc. In addition to having an incident response plan in place, it should be tested at least annually to verify that the plan works the way you intend it to.
  1. Medical Device Security – Medical device security was found to be a top security concern for survey respondents due to the challenges that are present with them, like their potential to be breached and put patient safety at risk. The top two security struggles identified with medical devices include out-of-date operating systems that cannot be patched and a lack of inventory of assets due to a large number of devices that need to be secured.
  • Are you securing medical devices? Although it may be easier for small organizations to secure their medical devices due to a lower volume of devices and strong policies for doing so, organizations of all sizes should make this a priority. While difficult to do so, do your best to keep an inventory of your medical devices and verify that the list is current. If a vulnerability is known for a device and you are aware of that device and its location, you can begin addressing that vulnerability much quicker.
  1. Cybersecurity Policies – Small organizations are less likely to have cybersecurity policies in place, such as dedicating an individual to be the chief information security officer (CISO), or a bring-your-own-device (BYOD) policy.
  • Do you have your cybersecurity policies in place? A strong cybersecurity program includes policies and technology to support them. Don’t overlook the importance of implementing cybersecurity policies. KLAS and CHIME state, “While various policies underly each of the previous nine cybersecurity practices, organizations’ overall security policies should include the following elements: proper classification of data; definition of roles and responsibilities within the organization (including proper governance); employee education; definition of acceptable data and tool usage; definition of proper use of personal and employer-provided devices; and creation of a cyber attack response plan.”

Although not all cybersecurity best practices are being ignored in the healthcare industry, it is safe to say that there is work to be done, especially within smaller organizations.

Remember, it’s not only the government and your state of compliance you need to worry about, it’s cybercriminals too.

For more information regarding the cybersecurity best practice guidance issued by the Task Group, put together by the Department of Health and Human Services, check out our recent webinar!

 

Tags: Cybersecurity
No Comments
Share
0

You also might be interested in

Why Physicians Need Improved Cybersecurity Education

Why Physicians Need Improved Cybersecurity Education

Nov 6, 2018

A recent survey conducted by the American Medical Association (AMA)[...]

5 Tips for Protecting Your Electronic Health Records

5 Tips for Protecting Your Electronic Health Records

Jan 15, 2019

As the value of healthcare data remains high, there is[...]

Ransomware Is Alive and Well – Here Are 10 Tips to Help Protect Your Organization

Ransomware Is Alive and Well – Here Are 10 Tips to Help Protect Your Organization

Jan 22, 2019

  Remember ransomware, the malicious software that blocks computer access[...]

Leave a Reply Cancel Reply

Recent Posts

  • NIST and HIPAA
  • ADA: Americans with Disabilities Act
  • What Is GDPR?
  • HIPAA Right to Access Enforcement
  • Certificate of Need

Recent Comments

  • Milan on PHI or PII – What’s the Difference?
  • Automatic Backlinks on Free HIPAA Security Training!
  • Lisa Porter on Free HIPAA Security Training!
  • Roseanne ruiz on Health Apps & HIPAA
  • Roseanne ruiz on PHI or PII – What’s the Difference?

Archives

  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • August 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • August 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • February 2017
  • January 2017
  • December 2016
  • November 2016
  • October 2016
  • September 2016
  • August 2016
  • July 2016
  • June 2016
  • May 2016
  • April 2016
  • March 2016
  • February 2016
  • January 2016
  • December 2015
  • November 2015
  • October 2015
  • September 2015
  • August 2015
  • June 2015
  • May 2015
  • April 2015
  • March 2015
  • February 2015
  • January 2015
  • December 2014
  • November 2014
  • October 2014
  • September 2014
  • August 2014
  • July 2014
  • June 2014
  • May 2014
  • April 2014
  • March 2014
  • February 2014
  • January 2014
  • December 2013
  • November 2013
  • October 2013
  • September 2013
  • August 2013
  • July 2013
  • June 2013
  • May 2013
  • April 2013
  • March 2013
  • February 2013
  • January 2013
  • December 2012
  • November 2012
  • October 2012
  • September 2012
  • July 2012
  • June 2012
  • May 2012
  • April 2012
  • March 2012
  • February 2012
  • January 2012
  • December 2011
  • November 2011
  • October 2011
  • September 2011
  • August 2011
  • July 2011
  • June 2011
  • May 2011
  • April 2011
  • March 2011
  • February 2011

Categories

  • Backup & Disaster Recovery
  • Business Associates
  • Client News
  • Download
  • Healthcare Industry
  • HIPAA
  • HIPAA Audits
  • HIPAA Violations
  • HSN News
  • Legal
  • MACRA
  • Policies and Procedures
  • Press Release
  • Remote Workforce
  • Risk Assessment
  • Scams
  • Security
  • Security Reminders
  • Security Training
  • Telehealth
  • Uncategorized
  • Webinar
  • Website

Meta

  • Log in
  • Entries feed
  • Comments feed
  • WordPress.org

Contact Us

  • HIPAA Secure Now
  • 55 Madison Ave, Suite 400 Morristown, NJ 07960
  • (877) 275 - 4545
  • info@hipaasecurenow.com

Find us on Social Media

Recent Posts

  • NIST and HIPAA August 9, 2022
  • ADA: Americans with Disabilities Act August 2, 2022
  • What Is GDPR? July 25, 2022
  • HIPAA Right to Access Enforcement July 19, 2022
  • Certificate of Need July 11, 2022

Subscribe to our Newsletter

  • Hidden

© 2022 · HIPAA Secure Now!

Prev Next