Close Server: KOPWWW05 | Not logged in


How Hospitals Can Prevent Cyber-Attacks

Employee training and other safeguards essential for avoiding cyber attacks and breaches.

Any health information professional reading the news lately was likely not surprised by the results of the Ponemon Institute's "Sixth Annual Benchmark Study on Privacy & Security of Healthcare Data," released in May. For the second year in a row, cyberattacks were the leading cause of data breaches in healthcare with the average cost of breach topping $2.2 million and an average of 3,128 records lost or stolen.1

Increasingly, attacks such as ransomware, malware and denial-of-service (DOS) are the most common cyber threats facing healthcare organizations, according to the study. Identical to last year's report, organizations' top concern is employee negligence, namely the type that exposes organizations to hacking attempts and breaches of protected health information (PHI).

The good news is organizations can leverage these highly publicized ransomware and other incidents as learning opportunities to educate, train and test staff on the dangers of cyberattack and breaches. At the same time, organizations need to implement IT safeguards not only to help prevent incidents, but also to eliminate hackers who may have gained access into networks or computers.

Employees Opening the Door

Ransomware and other malware viruses that lead DOS attacks are typically introduced through email. These viruses can remain dormant in computers or networks for months after a malicious link has been clicked or an email attachment opened. Silently in the background, the hacker obtains usernames and passwords and accesses different systems, potentially gaining access to all records enterprise-wide. When the attack is launched, the cybercriminal has typically encrypted all infiltrated data, rendering it inaccessible to the organization, and then demands payment for delivery of the encryption key.

In July, the U.S. Department of Health and Human Services' (HHS) Office for Civil Rights (OCR) released guidance regarding how organizations should prepare for and respond to these ransomware incidents, including if they should be reported as breaches.

SEE ALSO: How Cyber Attacks Complicate HIPAA Compliance

The guidance indicated that breach determinations should be made on a case-by-case basis, with the caveat that electronic PHI (ePHI) encrypted as the result of a ransomware attack is likely a breach.2 Hacker-encrypted ePHI means that the information was acquired by unauthorized individuals, which is a disclosure not permitted under the HIPAA Privacy Rule.3 In most incidents, the ransomware virus does encrypt ePHI, which is what holds healthcare organizations hostage until a key is obtained or a ransom is paid.

Under the new guidance, most organizations impacted by ransomware will likely need to send breach notifications to entire patient populations. This notification process will be costly, cause patient concern and, as with any type of cyberattack or breach, inflict potential damage to reputations.

Prevention is Continual

The best method to thwart these attacks is through prevention, focusing on these five best practices:

1. Training: Employees should be trained to recognize malware, ransomware and DOS emails. A malicious email may appear to be from a colleague, but will look suspicious on closer inspection, and likely contain links that employees should never click. Employees should also be taught never to insert unknown flash drives into their computers. Attempted cyberattacks are stressful for employees, and automatic response and reporting protocols will help avoid further damage due to panic surrounding suspicious emails or the accidental clicking of a link. (For more information on employee training to prevent cyberattacks and breach, please see sidebar: "Training the best line of defense against cyberattack and breach.")

2. Testing: Inextricably linked to training is testing. Employees should be tested at random year round with exercises, such as simulated malicious emails or leaving flash drives in public places, to evaluate their responses. Managers can use these tests to identify training gaps and opportunities.

3. Double-factor authentication: This login protocol requires a user password and a secondary identity-verification method, such as a code sent to a mobile device, thumbprint scanner or scanning of a key fob. Double-factor is recommended for all employees, but especially for super-users with greater data access levels. While some organizations are requiring this additional access security for all users, it is not yet mandatory everywhere.

4. IT updates: IT staff need to continually update virus software and server patches as they become available from software vendors or security partners. Behavioral attack detection software is also important in identifying attacks early. The software pinpoints malicious activity by comparing requests and responses to a model of good behavior learned from the network itself, and can mitigate damage if an attacker has already accessed a network.

5. Data backups and segmentation: Backing up data so healthcare organizations can remain operational during a ransomware attack is crucial. In fact, in its ransomware guidance, the OCR recommends backing up data and points out that implementing a data backup plan is a HIPAA Security Rule requirement for maintaining an overall contingency plan. However, cybercriminals may infiltrate backup servers as well, so the OCR recommends maintaining backups offline and unavailable from their networks. Proactively, behavioral attack detection software can prevent criminals from accessing backups by identifying unusual activity earlier on.

In healthcare, data segmentation is a method of labeling, classifying or tagging PHI, allowing providers (or patients) to share certain parts of records. Network segmentation, although it will not thwart an attack, can prevent identity theft by minimizing the data available for corruption in the event of an attack or breach.

A Multi-Faceted Approach

Any single, preventive measure is not enough to avoid cyberattacks or breaches. Organizations must implement layered security, including prevention, as well as post-incident detection and remediation.

Above all, training employees to recognize and report suspicious emails, and having protocols for responding in the case that a malicious link or attachment is opened, should be health information professionals' focus. Employees can be an organization's greatest security vulnerability, but also the first and best line of defense against cyberattack and breach.

Rita Bowen, MA, RHIA, CHPS, SSGB, is Vice President of Privacy, HIM Policy and Education at MRO; and Mariela Twiggs, MS, RHIA, CHP, FAHIMA, is National Director of Training and Compliance at MRO.


Training Best Line of Defense

Continual employee training can help identify and prevent a cyberattack on an organization, and can also help avoid breaches caused by employee negligence. That is part of the reason why preferred PHI disclosure management partners invest so heavily in training and education for their employees and utilize advanced technology to avoid both cyberattacks and data breaches.

The following are four best practices for training staff on breach and cyberattack prevention.

1. Form an active privacy and security incident review committee

When a breach occurs, having a committee with clear lines of responsibilities for timely communication and availability to experts is essential. This committee can make training efficient and effective by evaluating breach incidents and responses to identify gaps, strengths and weaknesses, which can help guide employee instruction.

2. Environmental scanning

By scanning the healthcare ecosystem for privacy and security events, such as through Google Alerts delivered via email, breach and cyberattack incidents can be used as learning opportunities. Employees can discuss 'what if' scenarios for their organization, and how they would respond if faced with a similar situation.

3. Interactivity

Interactive training processes allow a true measurement of employee competence, and allow training to continue as employees work. Interactive exercises, such as simulated malicious emails, environmental scans and privacy and security incident response team evaluations, bring new training opportunities to light.

4. Utilization of technology

Technology, such as record integrity applications that use optical character recognition (OCR) software to scan each page of patient charts to find comingled patient information, can also enhance training. Demonstrating how charts become comingled, and how employees can incorporate their experience and knowledgeable judgment when using technology, empowers employees to leverage technology to protect their organizations.

You Might Also Like...

Protecting Patient Portal Information

Building best practices for securing electronic heath records accessed online by consumers.

Mitigating Mobile Patient Data Risks

Preventing data breaches is vital to maintaining patient confidentiality in an increasingly wireless world.

Advanced Persistent Threats

Steps to thwart cybercriminals, protect patients and secure critical data.

Health Information Professionals Workforce Report

Why these issues are important to recruitment efforts.

Articles Archives


Email: *

Email, first name, comment and security code are required fields; all other fields are optional. With the exception of email, any information you provide will be displayed with your comment.

First * Last
Title Field Facility
City State

Comments: *
To prevent comment spam, please type the code you see below into the code field before submitting your comment. If you cannot read the numbers in the below image, reload the page to generate a new one.

Enter the security code below: *

Fields marked with an * are required.

View New Jobs, Events and More


Back to Top

© 2017 ADVANCE Healthcare, an Elite CE company