Question

What are factors in HIT that precipitate security threats and how will you, in your practice, protect your patients from these same threats?

Answer 1

Health information technology (HIT)

information technology applied to health and health care. It supports health information management across computerized systems and the secure exchange of health information between consumers, providers, payers, and quality monitors.

Common healthcare security threat

Healthcare cyber threats are a major problem for a few reasons:

• In addition to a patient’s records, medical provider networks can contain valuable financial information.
• Since there are very few people who do not see healthcare providers, nearly everyone’s personal information is available in some form.
• The interconnected nature of EHRs means hackers have access to the data that has collected under patients’ names for years. Sharing patient information is integral to providing the best possible treatment to patients, but that same sharing also makes networks extremely valuable targets.

• Staff: Employees have easy access to patient files. While the majority won’t abuse this power, there’s no guarantee some won’t steal sensitive information. Criminals can use this type of information in identity theft, but it can also be used to intimidate or even blackmail people. There are multiple ways in which staff can steal records. In some cases, employees access confidential financial documents and use patients’ credit card numbers to commit a series of fraudulent purchases. Other workers have been found to steal face sheets, including demographic and social security information, which can then be used to commit a variety of crimes.
• Malware and phishing attempts: Sophisticated malware and phishing schemes that plant malicious scripts on a computer or steal login credentials can compromise an entire system. One of the most challenging issues dealing with malware is that it only takes one seemingly-authentic link to introduce a nefarious cyber presence into your network. It’s essential to train staff to recognize common phishing attempts. One common scam is to have emails from authentic-looking sites request login information — something reputable companies never ask through an email. Once a user provides that information, the hacker on the other end can log in to the system. Different types of viruses will mine records-related data and automatically send it back to the original host or leave a backdoor entranceopen for later.
• Vendors: Healthcare providers often work with vendors without assessing the accompanying risk. For example, if a hospital hires a cleaning company, its employees might gain access to computers. While patient information should be locked in ways that the average employee cannot view, it can be difficult to safeguard all points of access since cleaning and maintenance are integral to maintaining a healthy work environment.
• Unsecured mobile devices: Healthcare facilities that allow mobile logins don’t always require the devices to meet security standards. This leaves their networks vulnerable to malware and hackers since all of the organization’s planning and security do not influence staff communication devices. This issue is compounded once staff disposes of the equipment in an upgrade — network information or passwords might still be accessible, making a natural access point for criminals. Unless the organization sets strict guidelines or bans user devices altogether, there is little that employers can do.
• Lost and stolen mobile devices: In much the same way, lost or stolen devices represent an enormous risk. Any mobile device used to access a facility’s network becomes a liability as soon as it is lost or stolen. Once it falls into the wrong hands, the user can easily access the system using old or stored login data. Once a criminal has access to the network, it can be challenging to detect their presence or reseal the breach.
• Online medical devices: The security of online medical devices is often lacking, making them easy targets for hackers. There was a time that tools such as infusion pumps only provided information to the doctor and patient involved. However, as the Internet of Medical Things (IoMT) continues to grow, these devices are designed to export the information to external sources and otherwise interact with the world outside the doctor’s office. This data could be intercepted or manipulated, creating a host of issues. Moreover, hackers could gain access to manage most items connected to the network, including how the machines function.
• Unrestricted access to computers: Computers that aren’t in restricted areas can easily be accessed by unauthorized personnel. If these open computers are connected to sensitive patient information, unauthorized staff or others in the area could quickly find damaging information. In other cases, successful phishing attempts on general-access computers provide a gateway for hackers into more sensitive areas of the network. Be sure any computer that holds patient information is placed in a secure location.
• Inadequate disposal of old hardware: It’s easy to believe that once you’ve deleted information, you no longer have to worry about people accessing it. But when users improperly dispose of hard drives, old terminals and other hardware used to access a network with EHRs or credentials, that information is well within a criminal’s grasp. Well after drives have been deleted — and even reformatted — it is possible to rescue this information, meaning anything that the user saved is still vulnerable.

Steps to protect patients

• Educating Employees: Helping employees understand the role they play in cybersecurity and the impact it can have on patients’ lives fosters an atmosphere in which security is valued and respected. Regular briefings and communication on the state of the organization’s security reiterate the emphasis the organization is placing on cybersafety. Attending staff training sessions and making cybersecurity a regular topic in meetings could also help drive this message home.
• Establishing Procedures: Create a plan that outlines specific protocols for dealing with information and networks — both physical and virtual — and make sure they are followed. By explicitly expressing the expectations, the process becomes standardized, allowing more comprehensive oversight for network security monitors. Developing appropriate penalties for failure to follow the procedures not only discourages inattentive behavior that may threaten your ability to stay in compliance with HIPAA but also underscores the value you place on keeping patient information secure.
• Require Software Updates: Cybercriminals often take advantage of holes in outdated software or other unsecured access points. To combat this, force software updates on machines, utilize two-factor authorization and automatically institute monthly password updates that require characteristics of a “strong” password. You can help your employees out with this by automatically setting company machines to periodically require such changes so that employees only have to come up with a new password or click to allow updates. Once again, this can be incredibly difficult to enforce on staff personal devices, so educating employees on the importance of updates is crucial.
• Set Strict Personal Device Regulations: Healthcare providers should establish strict protocols regarding the use of mobile devices, as well as the disposal of hardware that has contained sensitive information in the past. Mobile device management (MDM) software allows your IT administrators to secure, control and enforce policies on tablets, smartphones and other devices, ensuring employees don’t break significant policies, and your data stays safe.