While hospitals may be highly advanced when it comes to saving lives, many of them are not quite as astute when it comes to securing patient and protected health information. Nine out of 10 hospitals in the U.S. have suffered a data breach or intrusion in their networks over the past two years, according to the "Third Annual Benchmark Study on Patient Privacy and Data" by the Ponemon Institute. That is far from acceptable in any industry, but especially horrendous in a field where highly sensitive medical and personal information is at risk.
Hospitals and other healthcare organizations need to ramp up their cyber security, and these 10 tips can help.
1. Implement basic cyber security tools. At the very least, hospital networks should require the basic fundamental protection tools that every network should have. These include next generation firewalls, intrusion prevention systems, virtual private networks and secure sockets layer VPNs. NGFWs serve as an advanced form of firewall protection to combat threats that have learned to wiggle through or around traditional firewalls. VPNs and SSL VPNs allow you to send sensitive information across the very public Internet, with SSL providing an additional layer of security. All these measures help maintain the continuous flow of valid traffic while blocking the unwanted.
2. Fortify authentication measures. When someone logs in to your network, whether it's a hospital administrator or a patient, authentication is a vital tool that should go beyond a simple password. Multi-factor authentication beefs up login procedures by using more than one authentication method while still keeping it easy for the user. Authentication is particularly important when accessing cloud-based data and logging in from smartphones, laptops and other remote devices.
3. Use role-based administration access. Another way to control access is by assigning each administrator a role. Each role has a specific set of predetermined privileges assigned to it. Admins can have more than one role if they need additional access.
4. Centralize security management. Managing the security of your hospital network should be as easy as possible, with the most effective security systems featuring a single interface where you control all network functions in a central location. Centralized management allows you to detect and respond to threats, update and configure all your security devices, manage third-party devices and review everything that's happening without having to access dozens of components.
5. Implement real-time monitoring. The most effective monitoring system features a continuous, real-time monitoring of any potential threats, insight on security devices and information on third-party devices accessing the system. It also allows you to check out traffic statistics, blacklisted traffic, VPN tunnels and any open connections at a glance.
6. Audit security policies and compliance. HIPAA may be your hospital's main compliance concern when it comes to protecting information, but your security policies should also address others. Policies for accessing your network should also be regularly audited to ensure they're being maintained. Existing compliance measures constantly change while new ones may be implemented. With so much sensitive patient information to protect, hospitals especially need to stay on top of the requirements while creating their own set of rules.
7. Reporting. Easy-to-read and easy-to-understand reports are an essential feature for security management, allowing you to perform your own audits. The most useful reports will be those you can customize to meet your specific needs by accessing specific information to note trends, troubleshoot and provide historical data to help analyze and recover from an attack.
8. Customize alert escalation and incident management. If an infiltration or attack does occur on your hospital network, you want to know about it immediately. You also want a security feature that provides detailed information on what happened so you can quickly and effectively correct it. The most effective alert and incident management systems will allow you to keep a log of your corrective actions and customize alert levels so that you instantly know how great a threat you’re dealing with.
9. Install a backup system to ensure high availability. You already know that any type of system failure in a hospital is unacceptable without a feasible backup plan, and the same holds true for your network. Go for a backup management system that is automatically synchronized and allows continuous access to your network if a breach does occur.
10. Keep an eye on the future. Staying current with your hospital cyber security needs is only the first part of the equation. Your cyber security should match your hospital's current needs, but they should also be flexible, scalable and adaptable enough to grow with you into the future. Hospitals that lack the knowledge and resources to remain on the cutting-edge of cyber security may do well to consider outsourcing their needs to a trusted provider.
Many hospitals have slowly begun to embrace the digital age, with digital platforms, the use of remote devices and electronic healthcare records. Unless they more quickly embrace security technology, however, the advances could very well serve as open season for cyber thieves and other threats.
As senior vice president of Stonesoft North America, Richard Benigno leads sales, marketing and operations for Stonesoft. Through his leadership over the past two years, Mr. Benigno doubled revenues and customers through executive sales leadership and one-to-one marketing strategies. He earned his MBA in International Business & Information Technology from Schiller International University, Heidelberg, Germany; as well as a Bachelor of Science, Biology and Chemistry from Oklahoma City University.
Hospitals and other healthcare organizations need to ramp up their cyber security, and these 10 tips can help.
1. Implement basic cyber security tools. At the very least, hospital networks should require the basic fundamental protection tools that every network should have. These include next generation firewalls, intrusion prevention systems, virtual private networks and secure sockets layer VPNs. NGFWs serve as an advanced form of firewall protection to combat threats that have learned to wiggle through or around traditional firewalls. VPNs and SSL VPNs allow you to send sensitive information across the very public Internet, with SSL providing an additional layer of security. All these measures help maintain the continuous flow of valid traffic while blocking the unwanted.
2. Fortify authentication measures. When someone logs in to your network, whether it's a hospital administrator or a patient, authentication is a vital tool that should go beyond a simple password. Multi-factor authentication beefs up login procedures by using more than one authentication method while still keeping it easy for the user. Authentication is particularly important when accessing cloud-based data and logging in from smartphones, laptops and other remote devices.
3. Use role-based administration access. Another way to control access is by assigning each administrator a role. Each role has a specific set of predetermined privileges assigned to it. Admins can have more than one role if they need additional access.
4. Centralize security management. Managing the security of your hospital network should be as easy as possible, with the most effective security systems featuring a single interface where you control all network functions in a central location. Centralized management allows you to detect and respond to threats, update and configure all your security devices, manage third-party devices and review everything that's happening without having to access dozens of components.
5. Implement real-time monitoring. The most effective monitoring system features a continuous, real-time monitoring of any potential threats, insight on security devices and information on third-party devices accessing the system. It also allows you to check out traffic statistics, blacklisted traffic, VPN tunnels and any open connections at a glance.
6. Audit security policies and compliance. HIPAA may be your hospital's main compliance concern when it comes to protecting information, but your security policies should also address others. Policies for accessing your network should also be regularly audited to ensure they're being maintained. Existing compliance measures constantly change while new ones may be implemented. With so much sensitive patient information to protect, hospitals especially need to stay on top of the requirements while creating their own set of rules.
7. Reporting. Easy-to-read and easy-to-understand reports are an essential feature for security management, allowing you to perform your own audits. The most useful reports will be those you can customize to meet your specific needs by accessing specific information to note trends, troubleshoot and provide historical data to help analyze and recover from an attack.
8. Customize alert escalation and incident management. If an infiltration or attack does occur on your hospital network, you want to know about it immediately. You also want a security feature that provides detailed information on what happened so you can quickly and effectively correct it. The most effective alert and incident management systems will allow you to keep a log of your corrective actions and customize alert levels so that you instantly know how great a threat you’re dealing with.
9. Install a backup system to ensure high availability. You already know that any type of system failure in a hospital is unacceptable without a feasible backup plan, and the same holds true for your network. Go for a backup management system that is automatically synchronized and allows continuous access to your network if a breach does occur.
10. Keep an eye on the future. Staying current with your hospital cyber security needs is only the first part of the equation. Your cyber security should match your hospital's current needs, but they should also be flexible, scalable and adaptable enough to grow with you into the future. Hospitals that lack the knowledge and resources to remain on the cutting-edge of cyber security may do well to consider outsourcing their needs to a trusted provider.
Many hospitals have slowly begun to embrace the digital age, with digital platforms, the use of remote devices and electronic healthcare records. Unless they more quickly embrace security technology, however, the advances could very well serve as open season for cyber thieves and other threats.
As senior vice president of Stonesoft North America, Richard Benigno leads sales, marketing and operations for Stonesoft. Through his leadership over the past two years, Mr. Benigno doubled revenues and customers through executive sales leadership and one-to-one marketing strategies. He earned his MBA in International Business & Information Technology from Schiller International University, Heidelberg, Germany; as well as a Bachelor of Science, Biology and Chemistry from Oklahoma City University.
More Articles on Cyber Security:
11 Data Security Tips From Industry Experts
Privacy and HIPAA: What Executives Need to Know Now
Health Information Trust Alliance Issues Guidance for Cybersecurity Preparedness