Fifty-eight percent of malware attack victims are small businesses
Sixty percent of small businesses go out of business within six months of an attack
Ninety percent of small businesses do not use any data protection at all
The process of implementing cybersecurity practices will vary by organization size, complexity, and type. For example, the development and implementation of an incident response plan will differ significantly between a large integrated delivery network and a small two-physician practice.
Each organization has specific cybersecurity-related attributes, strengths, and vulnerabilities. For cybersecurity practices to be optimally effective, organizations must tailor them to their unique needs and business mission.
Small health care organizations tend to have limited resources for managing their cybersecurity practices, but are no less subject to cyber attacks. Indeed, the Top 5 Cybersecurity Threats, documented below, can be very disruptive to small organizations. Suppose a small provider practice loses a laptop with unencrypted personal health information (PHI), resulting in a publicized breach?. Such a breach could wreak devastating consequences for both the provider’s patients and the practice’s reputation.
Conducting day-to-day business usually involves the electronic sharing of clinical and financial information with patients, providers, vendors, and other players to manage the practice and maintain business operations. For example, small organizations transmit financial information to submit invoices and insurance claims paid by Medicare, Medicaid, Health Maintenance Organizations (HMOs), and credit card companies.
• Clinical care includes sharing information for clinical care, transitioning care (both social and clinical), electronic or “e-prescribing,” communicating with patients through direct secure messaging, and operating diagnostic equipment connected to a computer network, such as ultrasound and pictures archiving and communication systems (PACS).
• Provider practice management covers patient access and registration, patient accounting, patient scheduling systems, claims management, and bill processing.
• Business operations spanning accounts payable, supply chain, human resources, IT, staff education, protecting patient information, and business continuity or disaster recovery.
Small health care organizations must comply with multiple legal and regulatory guidelines and requirements. They often ensure compliance by creating an internal infrastructure of personnel and procedures to govern the transmission of sensitive data internally and with authorized external resources.
In 2017, under the leadership of HHS, the Healthcare Industry Cybersecurity Task Force (HCIC) conducted a Healthcare Industry Cybersecurity Risk Assessment; the results were published in the Health Care Industry Cybersecurity ReportThe Health and Public Health Coordinating Council Task Group responded to the findings and the Cybersecurity Act’s mandate to “Align Health
Care Industry Security Approaches.”
The Task Group determined that it was not effective to identify every cybersecurity challenge across the large and complex U.S. health care industry. The Task Group therefore made the decision to focus on the most impactful threats, with the goal of significantly moving the cybersecurity needle for a broad range of organizations within the industry. Below are the Top 5 Threats to small healthcare organizations:
To assist small healthcare organizations address the risk posed by the Top 5 Threats, the Department of Health and Human Services (HSS) recently published a common set of best practices, methodologies, procedures, and processes. These mitigation guidelines, though voluntary, are consensus based and industry led.
Small practices typically leverage outsourced third-party e-mail providers, rather than establishing a dedicated internal e-mail infrastructure. The e-mail protection practices in this section are presented in three parts:
Endpoints include desktops, laptops, mobile devices, and other connected hardware devices (e.g., printers, medical equipment). Because technology is highly mobile, computers are often connected to and disconnected from an organization’s network. Although attacks against endpoints tend to be delivered via e-mail, as described above, they can also be delivered as client-side attacks.
Health care organizations of all sizes need to clearly identify all users and maintain audit trails that monitor each user’s access to data, applications, systems, and endpoints. Just as a name badge may be required to identify persons in the physical work environment, cybersecurity access management practices can help ensure that users are properly identified in the digital environment, as well.
A security breach is the loss or exposure of sensitive data, including PHI as well as information relevant to the organization’s business. Impacts to the organization can be profound if data are corrupted, lost, or stolen. Security breaches may prevent users from completing work in an accurate or timely manner; potentially devastating consequences to patient treatment and well-being could occur. Thus, good data protection and loss prevention practices protect the organization as well as the patients.
Organizations manage IT assets using processes referred to collectively as IT asset management (ITAM). ITAM is critical to ensuring that the appropriate cyber hygiene controls are maintained across all assets in your organization.
ITAM processes should be implemented for all endpoints, servers, and networking equipment. ITAM processes enable organizations to understand their devices, and the best options to secure them. Although difficult to implement and sustain, ITAM processes should be part of daily IT operations and encompass the lifecycle of each IT asset, including procurement, deployment, maintenance, and decommissioning (i.e., replacement or disposal) of the device.
Computers communicate with other computers through networks. These networks are connected wirelessly or via wired connections (e.g., network cables), and networks must be established before systems can interoperate. Networks that are established in an insecure manner increase an organization’s exposure to cyber attack.
Proper cybersecurity hygiene ensures that networks are secure and that all networked devices access networks safely and securely. If network management is provided by a third-party IT support vendor, the organization must understand key aspects of proper network management for inclusion in contracts for these services.
Vulnerability management is the process used by organizations to detect technology flaws that hackers could exploit. This process uses a scanning capability, often provided by an EHR or IT support vendor, to proactively scan devices and systems in your organization.
Incident response is the ability to discover cyber attacks on the network and prevent them from causing data breach or loss. Incident response is often referred to as the standard “blocking and tackling” of information security.
Many types of security incidents occur on a regular basis across organizations of all sizes. Two common security incidents that affect organizations of all sizes are:
As technology advances and health care environments migrate to digitized systems, so do medical devices. For many reasons, it is highly desirable to interface medical devices directly with clinical systems. Automating data collection from medical devices reduces the labor burden and exposure to human error that results from manual input of data. Furthermore, automated control of device instrumentation delivers the most accurate treatment possible to the patient. For example, bedside vital signs monitors are networked to centralized nursing station displays and alarms, and infusion pumps are networked to servers to distribute drug libraries as well as download usage data.
As with all technologies, medical device benefits are accompanied by cybersecurity challenges. One emerging threat is the practice of hacking medical devices to cause harm by operating them in an unintended manner. For example, the 2015 document “How to Hack an Infusion Pump” describes how an infusion pump can be controlled remotely to modify the dosage of drugs, threatening patient safety and well-being.
Cybersecurity vulnerabilities are introduced when medical devices are connected to a network or computer to process required updates. Many medical devices are managed remotely by third-party vendors, which increases the attack footprint.
Establishing and implementing cybersecurity policies, procedures, and processes is one of the most effective means of preventing cyberattacks. With consistent training and enforcement, expectations are clear and foster a consistent adoption of behaviors by your workforce. With clearly articulated cybersecurity policies, your employees, contractors, and third-party vendors know which data, applications, systems, and devices they are authorized to access and the consequences of unauthorized access attempts.