The Most Comprehensive Data Protection Solution

Discover, classify, and protect your data from all threats with the only Gartner Magic Quadrant DLP and Forrester Wave EDR Leader.

First and Only Solution to Converge:

  • Data Loss Prevention
  • Endpoint Detection and Response
  • User and Entity Behavior Analytics
DATAINSIDER

Digital Guardian's Blog

20 Information Security Tips for Hospitals

by Chris Brook on Tuesday December 4, 2018

Contact Us
Free Demo
Chat

Encryption, monitoring data access, and ensuring there's a recovery plan in place: In this week's Data Protection 101 we countdown 20 information security tips designed to help hospitals better safeguard sensitive patient data.

Hackers attack hospital information systems because that’s where the data is. Consider this along with the extra precautions mandated by the Health Insurance Portability and Accountability Act of 1996 (HIPAA), and it’s clear that hospitals need to be incredibly vigilant about protecting their data.

To help focus efforts, here are 20 information security tips for hospitals:

1. Establish a security culture

Security policies are no good unless the employees are willing to protect the hospital and follow best practices. Leadership must set the example and help train employees.

2. Protect mobile devices

One of the features of electronic health records (EHRs) is that they don’t have to be used on desktop computers. It’s tempting to allow clinicians to access EHRs on mobile devices such as phones and tablets. But those devices are more vulnerable to theft and unauthorized access.

3. Maintain good cyber hygiene

Healthy habits are just as vital to hospital systems as they are to patients’ health:

  • Uninstall unnecessary applications
  • Change default configurations
  • Wipe data from discarded devices

4. Set up firewalls

Rely on trained personnel to set up firewalls to protect hospital systems from external attacks. Firewalls can be based upon hardware or software depending on the size of the hospital system.

5. Install and maintain anti-virus software

Anti-virus software guards against malicious code that can compromise hospital systems. Viruses are a common way for hackers to gain access to hospital systems and are constantly evolving. Anti-virus updates are essential to security.

6. Backup your data

Hospital systems are vulnerable to disasters — fire, flood or hurricanes for example — in addition to malicious hacking. Backing up the data on a regular basis and keeping those backups securely stored is key to recovering from disaster.

7. Control access to protected health information

Determine who needs access to patient records and allow only them to access that data. Use audits to verify who is accessing what data. Don’t neglect to remove employee access of those who have been terminated.

8. Use strong passwords and change them regularly

Use secure password best practices such as:

  • Use multiple passwords for different systems
  • Change passwords regularly
  • Use complicated passwords that aren’t easily guessed
  • Use multi-factor authentication (which is required for e-prescribing systems)
  • Allow password resets for users who forget their passwords to prevent written passwords left in vulnerable locations

9. Limit network access

Flexible networking tools can create inexpensive solutions for hospitals. They also create vulnerabilities. Wireless networks may be easy to set up, but they are vulnerable to unauthorized access if not using encryption.

10. Control physical access

Missing laptops or data storage devices are common sources of healthcare data breaches. These devices need to be kept in secure locations where unauthorized users cannot access them. Security policies should restrict their use outside of facilities to prevent loss.

whitepaper

Healthcare Resource Kit

11. Train staff

Employees are the weakest link in information security. They need to understand proper information security protocols and the consequences of not following protocols.

Assess your employees’ proficiency with information security and design training programs that fill in any gaps. And follow up with more training to keep employees engaged with information security.

12. Implement data usage controls

Use data discovery and classification tools to identify sensitive health data, monitor access, and protect it. These usage control tools can prevent employees from emailing it, uploading it to unauthorized sites or copying it to storage devices.

13. Monitor data access

Keeping track of which users are accessing healthcare data and resources helps identify vulnerable activities and create protective measures. Use monitoring to create audit trails so it’s easier to detect unauthorized access points.

14. Encrypt data

Encrypt healthcare data that is being transferred or stored to make it difficult (ideally, impossible) for hackers to interpret data even in the event of a successful breach. Decisions need to be made concerning what data is to be encrypted and by which methods will be used.

15. Mitigate risk from connected devices

Mobile devices are not the only vulnerability in hospital networks. Medical devices, security cameras and office equipment are often networked. These connected devices offer access points that could lead to patient data. Keep devices on separate networks and monitor for unauthorized access.

16. Perform regular risk assessments

Risk assessments will help understand the organization’s vulnerabilities. Only then can you anticipate security issues and secure hospital systems properly.

17. Evaluate security of business associates

Healthcare is all about sharing information now. Make sure your hospital systems are protected from unauthorized access if someone gains access to a business associate’s network.

18. Maintain software updates.

Outdated software is vulnerable to attack. Hackers can take advantage of older software versions without the latest security patches. It’s worth the time to take systems offline for software updates.

19. Create a recovery plan

Planning for an attack entails developing a plan for getting the hospital systems back online and protecting from another attack.

20. Establish policies for remote access of information

Technology allows healthcare workers to work from anywhere — not just within hospitals. The problem is that it creates vulnerabilities for health information. Policies need to define who can access healthcare information and what information they can access. The devices need to have appropriate security and tracking to protect data.

The U.S. Department of Health & Human Services (DHHS) offers detailed guidance for cybersecurity in healthcare. It’s good reading for all healthcare organizations. As they continue to be a desirable target for cybercriminals, hospitals must take a comprehensive and proactive approach to security to identify and mitigate threats before cybercriminals gain access to their valuable data.

Tags: Data Protection 101

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.