Healthcare covered entities and business associates can reduce their cyber security risks by focusing on three areas – defend, detect, and defeat. The cyber security industry refers to these areas with different words, but the same basic meaning. Sometimes you’ll hear prevent, detect, respond, but we like defend to remind us we’re at war and defeat so we have a goal to stop data loss.
Defend begins with governance, compliance and organization. It involves
- assessing what you need to protect,
- how best to protect it
- and whom is responsible.
For example, identify and prioritize the importance of your data, ePHI being top priority. Decide to invest in an EMR system that encrypts the ePHI at rest and in motion. Many don’t. Make sure anti-virus, anti-malware, and firewalls are in place and maintained. Run penetration tests internally and externally. Run HIPAA compliance and vulnerability tests on your computers regularly to insure they are up-to-date on patches and security settings are hardened, i.e. configured to provide the highest practical protection. And last but definitely not least is to train your staff to defend against cyber attacks. Phishing is a large cause of breaches and lost ePHI. Don’t ASSUME they know. Assume your staff does NOT know how to be safe on your computers and that they are being attacked.
Detect requires monitoring your data and the users and systems that can access it. There are many different approaches, but start by learning how to monitor and detect inappropriate access. EMRs should have logs or reports that state which user accessed which data. Review these reports regularly to be able to quickly spot suspicious activity. Initially it will be a slow process, but eventually you will recognize patterns, the reviews will become quick and anomalies easily recognized. Detect also implies you must train your staff to know about cyber threats and how to avoid them, respond to them and report them to IT staff.
Defeat requires you take action at the first signs of a potential breach or a credible threat. The first step is to deactivate the technology under attack. For example, shutdown the EMR server or disconnect it from Internet until the threat is stopped and protection against it is in place. This requires a plan is developed for such an emergency, and staff trained to implement it.
The place to begin improving your ability to Defend your business, Detect threats and Defeat intrusions is with a thorough Security Risk Assessment. The results should include a complete map of all PHI including where it is created, manipulated, stored and transmitted. Computer systems and networks should be tested for vulnerabilities and HIPAA compliance. Only by performing a NIST Compliant SRA will you establish a baseline and be able to efficiently improve you security and properly protect your business.