Cybersecurity management guidelines

In the global race for economic competitiveness, the digital readiness of organisations has become a key factor. Therefore, cybersecurity has become an increasingly important safety issue. In addition, cybercrime has shifted from attacking big corporations to also attacking  other industries, like financial services and increasingly organisations in the health sector.

Cybersecurity management guidelines in healthcare

Data breaches in healthcare have occurred in a variety of ways. This includes situations in which hackers steal health information to commit medical identity theft, or instances where an employee views the records of one patient without authorization. While the aims and results of these two security threats are different, they have in common that data breaches can be very costly for providers. In addition to potential regulators’ fines and other compliance costs, hospitals may suffer reputational damage and a loss of patient trust.

Hospitals and other healthcare organizations need to be aware and active about protecting sensitive health information, patient, financial and other data. This requires the combination of employee education, proper use of technology and physical security for buildings.

See ENISA’s webpage on Health Critical Information Infrastructures and Services for more information: https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/health

Steps to profile a cybersecurity guideline

1. Raise cybersecurity awareness

One of the most challenging aspects of raising awareness about cybersecurity among users is overcoming the perception that “it can not happen to me”. Regardless of their level of education or IT sophistication, many people are alike in believing that they will never succumb to sloppy practices or place patient information at risk.

• Education and training must be continuous.
• Those who manage and direct the work of others must set a good example.

2. Install a firewall

A firewall prevents intruders from entering in the first place. Anti-virus software can be thought of as infection control while the firewall has the role of disease prevention.

• All computers are protected by a properly configured firewall.
• All staff members understand and agree that they may not stop the operation of firewalls.

3. Protect network access

File sharing and messaging can expose connected devices to security threats and vulnerabilities. Check to make sure applications have not been installed without explicit approval.

• Access to the network is restricted to authorized users and devices.
• Guest devices are prohibited from accessing networks that contain health information.

4. Secure physical access

Securing information physically should include policies limiting physical access: securing machines in locked rooms, managing physical keys, and restricting the ability to remove devices from a secure area.

• All devices containing health information are inventoried and can be accounted for.
• Physical access to secure areas is limited to authorized individuals.

5. Secure health information

Setting file access permissions may be done manually, using an access control list. This can only be done by someone with authorized rights to the system. Prior to setting these permissions, it is important to identify which files should be accessible to which staff members.

• Every user account should be tied to a single authorized individual.
• Users are only authorized to access the information they need to perform their duties.

6. Be prepared for disaster

A fireproof installed safe, which only the health care provider knows the combination for, is a good choice for many practices to store backup media. This would provide some safety against local emergencies such as flood and fire.

• Backups schedule is timely and regular. Every backup is tested for its ability to restore the data accurately.
• Backups media are physically secured. Backups media stored off-site are encrypted.

7. Change passwords regularly

Strong passwords are ones that are not easily guessed. Since hackers may use automated methods to try to guess a password, it is important to use strong passwords.

• Each staff member has a unique username and password.
• Passwords are changed routinely. Passwords are not re-used.

8. Clean desk policy

Sensitive information on a desk such as sticky notes, papers and printouts can easily be taken by thieving hands and seen by intrusive eyes. All sensitive and confidential information should be removed from the desk.

9. Bring-Your-Own-Device (BYOD) and Bring-Your-Own-App (BYOA) policy

BYOD and BYOA covers the employees’ personal computers or devices which might be used in a work setting, which could be utilized to steal sensitive data.

10. Removable media

Personnel must be educated about the threats of removable media such as an external hard drive, most especially on a secured system.

You can find more information on good cybersecurity practices through this link: https://www.healthcarebusinesstech.com/best-practices-to-secure-healthcare-data

Further reading

• Health – Critical Infrastructures and Services: https://www.enisa.europa.eu/topics/critical-information-infrastructures-and-services/health?tab=publications
• 15 Ways Healthcare Providers Protect Patient Data: https://igniteoutsourcing.com/healthcare/protecting-patient-information/
• ICT security certification opportunities in the healthcare sector: https://www.enisa.europa.eu/publications/healthcare-certification

Literature

2017. Ayatollahi, et al., “Information Security Risk Assessment in Hospitals”, Open Med. Inf. Jour., 11, 2017.
2018. Martin, et al., “Cybersecurity and healthcare: how safe are we?”, BJM, 358,  2017.

Im Skierka, “The governance of safety and security risks in connected healthcare”, Conf. Living in the Internet of Things: Cybersecurity of the IoT – 2018.

2017. L. Bris, W. E. Asti, “State of cybersecurity & cyber threats in healthcare organizations: Applied Cybersecurity Strategy for Managers”, Essec Business School, Harvard, 2017.