By A. Andrews Dean, CPHIMS, CHDA, CPHI, CPPM, CPC
From the acceleration of interoperability and health information exchange initiatives to the implementation of information blocking rules that give patients greater control over their own health information, all signs point to a golden age of digital health information.
Even a crisis as significant as the COVID-19 pandemic could prove a turning point in virtual healthcare delivery, with the dramatic increase in remote healthcare operations and patient services, such as telehealth.
Unfortunately, every emerging opportunity exposes new vulnerabilities, making digital transformation a target-rich environment for malignant opportunists seeking to attack and steal protected health information (PHI).
Privacy and security professionals are tasked with protecting and managing ever-larger data sets and an increasing number of interfaces, devices, and access points used by healthcare organizations vulnerable to hackers.
The coronavirus pandemic has proved the perfect cover for new and evolving cyberthreats. According to World Health Organization (WHO), “Hackers and cyber scammers are taking advantage of the… pandemic by sending fraudulent email and WhatsApp messages that attempt to trick you into clicking on malicious links or opening attachments. These actions can reveal your username and password, which can be used to steal money or sensitive information.”
In this era of increased connectivity, health information management (HIM) and health IT teams need access to real-time cyberthreat intelligence. Sharing this intelligence within and between organizations can be a strategic asset in mitigation and threat prevention.
“Whether done with peers or as part of a formal group or initiative, information sharing with others is key to understanding what has happened, what is happening, and what may happen in the future,” says Lee Kim, director of privacy and security at HIMSS. “In addition to sharing information with peers, we also need to… share information within the walls of our own organizations.”
One of the main benefits of participating in a threat-sharing program is getting notified about possible cyber-attacks and which mitigations to implement to avoid being hacked. When an attack occurs at one healthcare organization, similar attacks are not uncommonly occurring against healthcare entities.
Cyberthreat intelligence must be compiled from multiple sources and analyzed for it to ultimately be valuable and actionable. The challenge is that healthcare organizations often run into the issue of determining where and how to safely, securely, and legally participate in cyberthreat information exchange.
Fortunately, best practices are now in place to provide organizations with the tools and standards necessary for healthcare organizations to participate in intelligence exchanges. In this article, we will look at fundamental concepts to help healthcare organizations of any nearly any size further their adoption of cyberthreat information-sharing.
The first step is analyzing your organization’s preparedness. Education and awareness is the best preventative medicine for cyberthreats. Provider organizations should routinely ensure that policies related to email, mobile technology, and bring-your-own-device policies are up to date and that training sessions on cybersecurity practices, threats, and mitigations reflect the most current industry best practices.
Privacy and security teams also should have access to the latest tools and resources to help mitigate threats. For example, organizations should have backups and ensure security patches to systems are applied regularly. Security teams should also leverage security incident event monitoring (SIEM) tools to detect network intrusions; conduct regular vulnerability scans and penetration testing; and monitor security logs and reports for odd or suspicious activity.
Organizational culture around security issues also needs to change. Cybersecurity is not an issue just for the IT team. Cyberthreats should be considered as a matter of organizational risk.
As such, key stakeholders, including HIM, informatics, health IT, legal, risk management, safety, quality assurance, compliance, and privacy and security personnel should be involved, says Errol Weiss, chief security officer of H-ISAC (Health Information Sharing and Analysis Center), a global, nonprofit, member-driven organization that offers healthcare stakeholders a forum for coordinating, collaborating, and sharing vital physical and cyberthreat intelligence.
Additionally, organizations should educate providers and staff at all levels of management about basic cybersecurity and how to avoid being hacked. Consider a cybersecurity tabletop exercise to gauge staff readiness to confront different risk scenarios and cyberthreats. (Organizations can access several free exercises here.)
“If your organization isn’t already sharing cyberthreat information, then it should be establishing a foundation of what it means to share cyber-threat risks effectively and confidently to help improve its cyber posture,” says Weiss. “Each organization can customize its level of involvement in a cyberthreat analysis sharing to set expectations that are appropriate for an entity’s size, resources, and operations.”
Cybersecurity—Policy and Practice
According to Weiss, private-public partnerships are essential to surviving threats to PHI and critical healthcare infrastructure.
“Don’t bite off more than you can chew,” he says. “Identify the right level of threat intelligence that will help your organization best protect your assets while still allowing for actionable results.”
For example, it’s not reasonable to think your organization has to share every detail of its security configuration or incidents to contribute to cyberthreat intelligence-sharing. Sharing something as basic as a suspicious IP address or email spam can help your organization resolve the threat, as well as help the next company prevent an attack.
Nor can any level of information-sharing mitigate all security issues. A rigorous set of HIPAA policies, procedures, and information governance practices are needed to complement security software and ensure that PHI and other sensitive data belonging to your organizations data protected.
Think of information-sharing as one tool in a much larger arsenal that includes:
- Response plans for cyberattacks, vulnerability mitigation, and disaster preparation
- Cyberattack reporting and communication protocols and checklists that describe requirements for reporting suspicious activities and define cybersecurity roles and responsibilities throughout the organization
- Leveraging cyber-intelligence organizations and public-private partnerships to validate processes and protocols
- Staying up to date to industry standards, such as H-ISAC, NIST CSF and HITRUST
- The ability to perform a root-cause analysis after any suspected breach
Weiss points to several resources that can help healthcare organizations design, implement, and maintain a successful cyber-threat information-sharing program and includes what information to share; how to share the information; and how to obtain internal and legal approvals for information sharing processes.
A Successful Cyberdefense Strategy
Through collaborative cyberthreat information sharing, healthcare organizations can mutually learn from each other about both cyberattacks and risk mitigations so they can prepare and improve their own security posture. This can be even more useful for small to mid-sized healthcare organizations with lower overall budgets and resources devoted to cybersecurity.
Ultimately, a successful cyberdefense strategy must include up to date, relevant, actionable information about current cyber risks and threats in the digital healthcare ecosystem. The only way to effectively combat and neutralize these threats are through a cyber community that shares resources and information, just as the hackers collaborate.
Health Information Sharing and Analysis Center. H-ISAC offers a number of free tools and resources on cyberthreat mitigation, including a 60-day free membership to healthcare organizations.
AHIMA Guidelines: The Cybersecurity Plan. Open-access guidance for the creation of a cybersecurity plan.
Free Cybersecurity Webinar from AHIMA
Access a free on-demand webinar on how healthcare organizations identify and mitigate cybersecurity threats during the COVID-19 pandemic. “Cybersecurity & Health-ISAC’s Response to the COVID-19 Pandemic” is hosted by Errol Weiss, Chief Security Officer, H-ISAC (Health Information Sharing and Analysis Center) and A. Andrews Dean, CPHIMS, CHDA, CPHI, CPPM, CPC, Healthcare Informaticist & Value-Based Health Analyst Health IT Consultant. Complimentary registration can be found here.
Andrews Dean is a health IT regulatory compliance and quality analyst /digital health strategist.