Recent ransomware attacks against healthcare facilities have exposed many institutions to serious HIPAA compliance issues—a situation which could have largely been avoided through some simple practical steps.
The single most important preventative measure is to ensure that all IT systems are always fully up-to-date.
In almost every recent ransomware attack, it was outdated IT architecture which provided the window through which the malicious viruses entered. This applies not only to antivirus software and firewalls, but to operating systems as well.
The cost of upgrading is negligible compared to the potential losses resulting from an attack, and it is simply inexcusable to fail to update systems—especially in the healthcare environment where electronic health records are often the subject of hacking attempts.
Loss of records in turn will legally expose an institution to breaches in healthcare regulatory compliance.
Hospitals and healthcare facilities should also:
• Restrict unauthorized access to the network and networked medical devices.
• Monitor network activity for unauthorized use.
• Protect individual network components through routine and periodic evaluation, and disable all unnecessary ports and services.
In the event of an attack—or even a general IT failure—it is important for all facilities to have prepared strategies in place to maintain critical functionality.
These strategies should ideally include an offline backup of vital data which can be accessed, the training of staff to use non-electronic methods of data capture and transmission, and discharge instructions.
In addition, staff should be familiar with the paper medication administration record (MAR) process, and how to transmit laboratory and radiology orders via paper-based—and hand delivered—requisition forms.
Even a simple step such as preprogramming phone and fax numbers into a fax machine can be of great assistance in the event that all computer systems are down.
Helpful Links
Cyber Security Evaluation Tool, National Cybersecurity and Communications Integration Center
https://ics-cert.us-cert.gov/sites/default/files/FactSheets/ICS-CERT_FactSheet_CSET_S508C.pdf
National Cybersecurity and Communications Integration Center, Department of Homeland Security
https://www.dhs.gov/national-cybersecurity-and-communications-integration-center
Emergency Preparedness—Preparing Hospitals for Disasters—Cybersecurity