HIT tip of the day: Don't respond to cyberattacks — prevent them

Staff -

Based on many of the recent cyberattacks and hacks into hospital systems, insurance providers and clinics, there is a clear need for increased security regarding health IT that too few companies are concerned about.

Jen Martinson, general manager for Secure Thoughts: HIPAA guidelines require enhanced security regarding patient information — Dropbox and Gmail are not permitted for the transfer of patient data due to their relative lack of security — and hospitals need to abide or suffer the consequences. Patients want to believe technology will help them, but they will be justifiably outraged if their private health information and any related information, such as their address, is released to the criminal world. This could lead to tenuous relationships between patients and their healthcare providers or even patients and their doctors.

Hospitals and health insurance companies need to have a plan not only for a response to a cyberattack, but a plan for prevention. Human error has nearly always been the leading cause of security breaches, as hackers much prefer to use social engineering and stolen login information rather than doing the figurative equivalent of taking a battering ram to the front door.

Guidelines should include the following:
• Make sure all employees from the bottom to the top, anyone who has even the most basic level of computer access, know the basics of IT security. They should know what kind of passwords to use — 10 or more characters of different lengths with no dictionary words included in the password — the importance or firewalls and additional verification, ways to spot a scam or something off with the system and what programs to not use to share information.

• Hospitals should conduct an IT security review at least every three months, preferably more often considering the prevalence of hackers targeting healthcare providers, where all systems both human and computer are checked for vulnerabilities. Feedback should be constructive with a focus on fixing the problems, not punishing them.

• While the latest and most expensive technology doesn't have to be used, it does need to be adequate for the tasks at hand. Dated systems don't receive the support modern systems do and there is a subset of cybercriminals that know this and will take advantage of it.

• Healthcare providers should provide devices to employees for work use and prohibit the use of personal devices for work purposes. Personal devices often are not as secure and the mixing of accounts could lead to a hacker striking it lucky with a stolen iPhone.

 

Copyright © 2024 Becker's Healthcare. All Rights Reserved. Privacy Policy. Cookie Policy. Linking and Reprinting Policy.