Healthcare is becoming more digitized by the day to help streamline workflows and improve proactive patient care. Statistics indicate that for every hospital bed in the United States, there is an average of 10 to 15 connected medical devices being used to collect and transmit patient information.1
Hardware and software solutions offer unique challenges and opportunities for cybersecurity. Therefore, it’s important for healthcare organizations to implement cybersecurity best practices to safeguard patient health information from cybercriminals.
Securing connected medical devices is key to mitigating cybersecurity threats. Medical devices should employ access controls to help secure patient data. Below are some examples of access controls that can be incorporated into a connected medical device:
It’s important that security does not hinder patient care and that it is mindful of clinical workflow to ensure users do not find workarounds that end up compromising patient data. Therefore, organizations must determine what level of security is required for each situation.
Additionally, clinicians should never share login credentials with anyone inside or outside the organization or remain logged into a device when not actively using it. These activities expose the organization to the risk that an unauthorized user could gain access to a medical device.
Strong passwords can help prevent cybercriminals from gaining unauthorized access to a network by discouraging or slowing them down.3 When creating a strong password, it’s important that it does not include personal information such as your name, birthdate, or the name of a family member or pet.
Here are some characteristics of strong passwords:
Cybercriminals commonly acquire patient health information (PHI) through tactics such as phishing and malware. Statistics show that 24% of physicians are unable to identify these specific tactics.4 To help safeguard your network from untrusted users, it’s vital to only access PHI via secure connections (e.g., secure applications and web portals) and to avoid opening unexpected attachments and clicking on links from unknown senders. Symptoms of an infected computer include:3
In addition, insider threats also pose a threat to PHI, especially in healthcare. A recent survey from Accenture uncovered that 1 in 5 healthcare employees would sell confidential information to unauthorized parties proving that internal actors are financially motivated to steal PHI.5 To protect the organization from malicious actors, be sure to lock computers when not in use and back up data in case information is compromised.
It’s crucial for employees to undergo regular and comprehensive education on cybersecurity best practices to help protect both PHI and the organization. Cybersecurity education should include a review of HIPAA rules and regulations to avoid violations as well as training on threat identification and reporting.
To help you stay informed and safeguard PHI, we’ve created a cybersecurity best practices checklist to help ensure your hardware and software is secure.
1. HIT Consultant Media. Protecting Medical Device Security in the Age of Ransomware. https://hitconsultant.net/2018/06/25/medical-device-ransomeware/. Accessed December 6, 2018.
2. Imprivata. Single sign-on (SSO). https://www.imprivata.com/single-sign-on-sso. Accessed November 26, 2018.
3. The Office of the National Coordinator for Health Information Technology. Top 10 Tips for Cybersecurity in Health Care. https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf. Accessed December 6, 2018
4. Becker's Healthcare. 24% of physicians can't identify phishing emails: 5 things to know. https://www.beckershospitalreview.com/cybersecurity/24-of-physicians-can-t-identify-phishing-emails-5-things-to-know.html. Accessed November 1, 2018.
5. Becker's Healthcare. 1 in 5 health employees willing to sell confidential data: 7 survey insights. https://www.beckershospitalreview.com/cybersecurity/1-in-5-health-employees-willing-to-sell-confidential-data-7-survey-insights.html. Accessed November 1, 2018.