In 2015, the United States Congress charged a task force with developing the nation's first healthcare cybersecurity guidelines. The project had three main goals: reduce healthcare cybersecurity risks in a cost-effective way, help doctors voluntarily follow the recommendations and update the guidelines frequently to keep them "actionable, practical and relevant to healthcare stakeholders of every size and resource level," according to the resulting Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (HICP).
The HICP was published in December 2018 under the auspices of the U.S. Department of Health and Human Services (HHS). This document provides critical advice for practices large and small that want to protect their patients' data and privacy.
Compliance With the HICP Guidelines
Compliance with the security guidelines is not mandatory, partly because the HHS understands that smaller organizations have fewer resources to devote to managing cyber threats. Even so, patient privacy and data security are controlled by some state, federal and other regulations. Data breaches are often met with fines and loss of patient trust, so even though the new guidance is voluntary, providers and practice managers owe this report some time and consideration.
The main report identifies the five greatest cyber threats to the healthcare industry as:
- Phishing attacks over email.
- Data loss (intentional, accidental or insider).
- Loss or theft of medical equipment.
- Ransomware attacks.
- Attacks against digital medical devices that are attached to or worn by patients.
The report outlines some ways to mitigate these threats in two guides: Technical Volume 1 for small practices and Technical Volume 2 for larger practices. Most practice owners have already taken some steps toward cybersecurity (such as encrypting email), but every technological advancement can introduce new risks.
Protect Your Patients and Practice
One of the most crucial cybersecurity practices is data protection. All data should be encrypted, whether it's in the cloud or on a thumb drive. That way, even if the data is stolen, corrupted or lost, it cannot be accessed by unauthorized users. If you store your data with third-party vendors, draw up a business associate contract that holds each vendor responsible for data security. Ask your vendors: "How is our email system protected? Are all the devices connected to our network secured? Can I send this ultrasound scan to my patient safely?"
Practices should keep an up-to-date inventory of all equipment (phones, laptops or medical devices) that can access the system or hold data. If you sell or retire an old device, be careful to properly wipe it of data before disposal.
Ultrasound machines that interface with other systems to store and share records save time in gynecology practices, but these machines can be hacked if not properly networked. Practices should always follow the manufacturer's recommendations for configuring these machines on a network and mitigating risks.
Cybersecurity and Ultrasound
The HIPC guidelines note that proper machine connectivity can help safeguard both data and patient safety in your practice. Voluson machines help gynecology practices by offering secure data storage and sharing with white-listing capability so that the machines never connect to unauthorized sources. They also include an IT interface that automatically directs records to the proper network destination, and HD encryption to guard against data theft.
If cybersecurity is new to you, the HIPC guidelines include a glossary of security terms and templates for organizing your data and security information. Find out whether the manufacturers of the equipment you use offer training resources for teaching your team about data safety. Ultimately, a robust data security strategy can enhance the overall care and peace of mind you offer your patients.