In the past year, more companies have moved their operations online and have provided more remote workforce options than ever before. In the spring of 2021, with a goal of being even more strategic in anticipating the many challenges ahead, NIST has identified priority areas for the next several years.
For example, they are working to enhance risk management initiatives and seek public comment on the Cybersecurity Framework (CSF) - including how it is being used and how it can be improved. Other priority areas that continue to be of utmost importance in the healthcare industry include:
- Cybersecurity awareness
- Training and education
- Workforce development
- Identity and access management
- Security emerging technologies
Let's review the cybersecurity imperatives while we anticipate the updates to the CSF.
According to the Healthcare Industry Cybersecurity Task Force, "Cybersecurity is a key public health concern that needs immediate and aggressive attention." Whether through culture shifts and increased communication to and from leadership, or changes in the way healthcare professionals perform their duties in the clinical environment, it is important to prioritize cybersecurity within the healthcare industry.
The Task Force identified six high-level imperatives to help them organize recommendations and action items. The Task Force Imperatives are:
- Define and streamline leadership, governess, and expectations for health care industry cybersecurity.
- Increase the security and resilience of medical devices and health IT.
- Develop the healthcare workforce capacity necessary to prioritize and ensure cybersecurity awareness and technical capacities.
- Increase healthcare industry readiness through improved cybersecurity awareness and education.
- Identify mechanisms to protect research and development efforts and intellectual property from attacks or exposure.
- Improve information sharing of industry threats, weaknesses, and mitigations.
What can your organization do to make Cybersecurity a priority?
Compliance experts at HCP have put together the following six recommendations that can be implemented immediately to aggressively prevent cyberattacks:
- Batten down the hatches - According to the Department of Health and Human Services (HHS), "HIPAA requires organizations that handle protected health information to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information." For example, to protect your data from malicious software it is important for systems to be up to date with patches and updates. It is important to install anti-virus software that performs regular scans and updates. You may also consider installing anti-spyware and anti-adware that performs regular scans and updates.
- Know your devices - Anyone who has performed a Security Risk Analysis (SRA) with us knows we ask about your inventory. Do you know all of your devices (or employee-owned devices) that are permitted to access electronically protected health information (ePHI)? It is especially important to maintain a comprehensive listing of an organization's IT assets with corresponding descriptive information, such as data regarding the identification of the asset (e.g., vendor, asset type, asset name/number), version of the asset (e.g., application or OS version), and asset assignment (e.g., the person accountable for the asset, location of the asset).
- Encourage the use of strong passwords - Weak passwords continue to be a threat to data in the healthcare industry. Eliminate the use of weak passwords by using a combination of letters, numbers, and special characters that are case sensitive and at least 8 characters in length. It is important to remember that passwords should never be shared with anyone or written down and should not contain information that would be easy to presume.
- Identify deficiencies - What are potential threats and vulnerabilities that pose a risk to your information? It is important to perform continuous monitoring of your organization to ensure policies and procedures are being followed. HCP's HIPAA Virtual Walkthrough and Security Risk Analysis (SRA) will help identify deficiencies and ensure you have a plan in place to prevent impermissible use or loss of your information.
- Make improvements - As part of our Security Risk Analysis, compliance experts at HCP will create a corrective action plan for your organization. This powerful tool will help in proactively preventing cybercriminals from attacking your organization. While some corrective action measures should be made immediately, others can be made over time. High-risk impact and likelihood deficiencies should be addressed first, while lower-risk deficiencies can be addressed throughout the year. For example, if you identified data backups that are being stored in an unlocked room or on unencrypted hard drives, you would want to take immediate action to implement measures to prevent access to the data.
- Be on the lookout - Cybercriminals are targeting the healthcare industry now more than ever before. We recommend training your employees on how to avoid phishing attacks and other threats and vulnerabilities. Our "Cyber Security Awareness Training" located in the HCP Course Library would be a great resource for any healthcare organization. Remember, it is much easier to prevent an incident from happening than it is to mitigate a breach once it has occurred.
We can help
Whether you need help training your employees or developing policies to prevent cyber-attacks, HCP compliance experts can provide tools and expertise to help your organization aggressively prevent cyberattacks.
If you have any questions, feel free to reach us by email at firstname.lastname@example.org or by phone at 855-427-0427.
Not a current HCP client? Schedule a free consultation.