17 Measures Every Health Care Organization Should Consider to Reduce the Risk of Cyber-Intrusions

The importance of privacy in the health care industry starts at the most basic level between a patient, a doctor, and the doctor’s laptop computer. The levels of importance and complexity increase exponentially when you look at entire networks of payers and providers. The amount of data produced and stored in these organizations is staggering and keeping it secure is of the utmost importance. We have identified misconceptions about cybersecurity. We’ve covered some of the legal obligations the c-suite is under to secure its organization’s data. With the rise cyber-intrusions like ransomware, we know it’s important to effectively train employees and follow the guidelines provided by the Federal Department of Health and Human Services.

With the developments expected in this space under the Trump Administration, it is vital that every health care organization is prepared on the cybersecurity front.

Below is our list of 17 measures every health care organization should consider to reduce the risk of cyber-intrusions.

  1. Conduct internal compliance and risk assessments, to determine your organization’s vulnerability to cyber-attacks. This includes, but is not limited to, the security risk analysis required under the HIPAA Security Rule for covered entities and their business associates.
  2. Develop and implement corporate policies and procedures required for compliance with federal and state privacy and security laws.
  3. Develop quick-response teams to handle potential cyber-attacks, using pre-formulated decision trees and procedures so that you don’t have to develop them while under the fire of an ongoing attack.
  4. Establish secure data backup protocols to ensure that, even if your company is under attack, important company records are secure and available.
  5. Establish protocols to deal with common forms of cyber-attacks (denial of service, etc.).
  6. Line up outside experts, if necessary based upon the risk profile of your company, to swing into action if company processes are overwhelmed by a cyber-attack.
  7. Perform periodic audits of cybersecurity practices against industry norms, accepted best practices, and the risk profile of your organization.
  8. Implement information security best practices, reflect them in information security policies, records retention and management policies, and in internal controls/standard operating procedures.
  9. Make certain the CEO and executive leadership are properly informed about the cyber risks to your company and that they’re involved in oversight and the decision-making process related both to cyber-attacks and proactive cybersecurity measures.
  10. Review funding of all electronic security measures to ensure they are adequate to cover not only routine compliance measures but also to allow for proactive testing and probing of systems in light of increasingly sophisticated measures being used by hackers.
  11. Collect only that protected health information and personally identifiable information from clients, customers, or company personnel that is needed for identified business needs, with the retention of such information being only for as long as it serves those business needs, with storage being accomplished in a way that minimizes the chance of it being of any use outside the organization (encryption, etc.).
  12. Obtain cyber insurance and understand the coverage, including the legal counsel and other experts the company is permitted to engage under the policy.
  13. Coordinate cyber incident response planning across the entire company.
  14. Store sensitive information securely (encrypting where appropriate) and away from other data that does not require the same level of protection. Use a layered defense approach to protect “crown jewel” information.
  15. Conduct appropriate data security due diligence on third-party service providers with access to protected health information, personal identifiable information, and/or sensitive business information, and require them to enter into agreements that they are implementing robust data security procedures, following up to ensure these requirements are in fact implemented.
  16. Assess ways in which your company’s access vulnerabilities (website, VPNs, remote access, and so forth) are configured to minimize potential intrusion risk, with regular testing and probing to update and address identified risks.
  17. Perform companywide training, tailored to the personnel at issue, to ensure personnel understand the importance of following all security policies and procedures and reporting any suspected violations.

This list was generated as part of a Legal News: Cybersecurity newsletter by Greg Husisian, Chanley Howell and Jacob Heller titled, “Cybersecurity and the New Trump Administration: Your Top Ten Questions Answered.” Click here for the original publication.