Cybersecurity involves protecting electronic information so that it remains confidential, intact, and available to authorized users. Cybersecurity is critical for every healthcare organization. Any breach of protected health information (PHI) security can have a serious impact on patient trust, the reputation of the healthcare provider, and may even damage the quality of patient care.
In addition, PHI is very valuable data, putting it at particular risk from cybercriminals. A recent joint cybersecurity report published by the Department of Health and Human Services, the FBI, and the Cybersecurity and Infrastructure Security Agency (CISA) warns of an "… increased and imminent cybercrime threat to U.S. hospitals and healthcare providers."
Adding to the challenge of keeping data protected is that healthcare cybersecurity can be complex. Many healthcare organizations work with specialized information systems, such as electronic health record (EHR) platforms, practice management support systems, clinical decision support systems, e-prescribing systems, and more standard IT systems, such as email, administrative platforms, and electronic billing software.
Considering these and other challenges to data security and compliance, one effective way to help ensure that healthcare organizations remain secure and compliant is through a thorough HIPAA security risk assessment performed by an experienced healthcare IT specialist.
A HIPAA security assessment is a thorough audit of how and where PHI is being accessed, designed to help keep a practice compliant with HIPAA's administrative, physical, and technical requirements. A thorough risk assessment should also flag any areas of your infrastructure or operations that might place PHI at risk. Every covered entity is required to conduct regular security assessments and act upon any identified issues.
A comprehensive HIPAA security risk assessment should identify potential risks throughout your information systems and IT operations, including the following:
Once the HIPAA security assessment is completed, you should have a series of deliverables that will form part of your HIPAA documentation. These might include a HIPAA management plan, an audit of all in-use and inactive computers, a user identification worksheet, a file scan report, a drive encryption report, a share permissions report, and a login history for each computer.
Cybercriminals change their tactics and tools frequently, so it's vital that you keep your security systems up to date. In addition, any changes to your systems, policies and procedures, and even staffing can have an impact on your cybersecurity. This is why it's critical to schedule risk assessments at least annually, and preferably after every major change in your work practices or IT systems.
The following five common security risks help show the tremendous value of a HIPAA security assessment.
According to HIMSS, most significant security incidents in healthcare are caused by phishing.
A phishing attack typically involves an email designed to make a user accidentally download damaging software by convincing the user that the email was sent by someone or some organization they know or trust. Alternatively, the email might elicit confidential information from the user.
One of the most effective ways to protect your organization from phishing attacks is to confirm that your staff are current on their security awareness training. The firm that conducts your HIPAA security risk assessment should also be able to provide ongoing training to better help ensure that your organization stays secure over the long term.
Malware is any software that causes damage to your information security systems, usually introduced as a virus. In healthcare, common threats include viruses that steal usernames and passwords and software that wipes entire disk drives so that the data cannot be recovered.
One of the most serious forms of malware is ransomware. Once ransomware has been introduced into a data storage system, the data is then encrypted so that authorized users are no longer able to access it. The organization that has stored the data is then told by the cybercriminal behind the ransomware to pay for the data, typically via cryptocurrency, to be unencrypted. However, there is no guarantee that the criminal will even unencrypt the data once a payment is made.
Given the value of healthcare information, healthcare organizations are appealing targets for cybercriminals and ransomware. A HIPAA risk assessment will help identify any areas in which your organization may be vulnerable to a cyberattack with malware or ransomware.
If an unauthorized user is able to access a computer or device used to store PHI, that data can be compromised. This unauthorized use could be malicious — for instance, if the user steals the device or plans to sell PHI on the dark web. However, it can also be the result of user error. For example, unauthorized access to data can occur if a healthcare worker takes their laptop home to work remotely and then shares that computer with their family members.
There are many steps that healthcare organizations can take to avoid the risk of unauthorized access to sensitive information. For instance, HIPAA guidelines require that all computers and mobile devices must have an automatic log off function installed with password protection so that the device is locked once the authorized user leaves it unattended. A HIPAA security risk assessment will also help identify devices that might be at particular risk of unauthorized use, such as decommissioned computers in storage. It will also help ensure all computers have automatic logoff set up.
Many healthcare practices are still working with outdated and unsupported legacy systems. Healthcare systems are often expensive to upgrade, or an upgrade may not be available. Some organizations may also be reluctant to switch from a legacy system to a more current but less familiar platform, given the potential costs and time involved in training staff with a new platform.
Cybersecurity issues can arise if the practice is still using a system that is no longer supported by the manufacturer. Without support, the system may become compromised, as no security patches, bug fixes, and updates are released to keep the system secure.
One challenge for healthcare cybersecurity is that many organizations have a significant legacy system footprint. The disadvantage of legacy systems is that they are typically not supported anymore by the manufacturer and, as such, there is generally a lack of security patches and other updates available. A HIPAA security assessment will identify any systems that represent security risks, with the assessment provider helping determine practical next steps to address such vulnerabilities.
Perhaps the most significant cybersecurity risk of all is human error. The best way to keep PHI safe is to make sure that your staff are familiar with cybersecurity best practices and build a risk-aware working culture. Regular security awareness training is an absolute must in healthcare. An experienced healthcare IT specialist that provides a HIPAA security risk assessment will discuss education and training opportunities for your staff that can help establish a risk-aware culture and reduce the risk of humor error.
A HIPAA security risk assessment should be a cornerstone of your HIPAA compliance policy. It's important to bear in mind that HIPAA assessments should be performed by a qualified third party, not by your in-house IT provider. This is because a specialized healthcare IT firm — like Medicus IT — is more likely to identify gaps and opportunities for improvement that you've missed and will provide a more objective report that builds a comprehensive picture of your cybersecurity status.
To learn more about what to expect during a HIPAA security risk assessment and the value it should provide to your healthcare organization, download this HIPAA Cyber Security Risk Assessment Checklist.