September 20, 2017

Best Practices for Healthcare Information Security

Written by
William R. Crank

Today’s cyber criminals aren’t disorganized, disgruntled individuals who act alone. Now there are entire operations devoted to running healthcare phishing, malware, and ransomware scams to get past your information security system and infiltrate your healthcare data. Not only do these cyber criminals have concrete business models, they have the resources to perform cost-benefit analyses that determine if it’s worth the money to go after you and your data specifically.

Fortunately, if your security is tight, there’s a good chance that hackers will leave your information alone because they don’t want to waste resources trying — and hopefully failing — to access your system.

However, if your information isn’t secure or your employees aren’t in the practice of analyzing emails before they click suspicious links, your organization (as well as patient care data) could be at risk.

ALSO READ: 15 of the Scariest Security Threats, According to Stock Photos

Phishing Emails, Ransomware, and Malware

In recent years, stories about healthcare organizations suffering from security problems have flooded the news. Phishing emails, ransomware, and malware have plagued businesses as unknowing employees click suspicious links and accidentally give hackers access to important data.

When you hear the term “phishing emails,” this basically describes messages that look for people’s credentials or drop a piece of malware or ransomware into a person’s PC. Malware is software intended to disable computer systems, while ransomware is designed to block access to a computer system until money is paid to get your information back. Once these malicious programs are on an employee’s computer, it’s likely that cyber criminals can get a hold of important data or infrastructure information.

Unfortunately, phishing scams are on the rise. The Anti-Phishing Working Group (APWG) has observed an uptick in phishing attacks in the first quarter of 2016. According to APWG’s Phishing Activities Trends Report, the number of unique phishing websites is at a record high of 289,371.

Best Practices for Keeping Health Information Secure

Medical software should always be developed with security in mind. And that’s the approach we take at MEDHOST. Still, there are extra precautions all health organizations can take to stay better protected:

1. Have a “think before you act” mindset.

Provide education and hands-on training to help employees get in the habit of analyzing emails before they click any links. It’s likely that if one person in your organization gets a suspicious email, that same email is sitting in the inboxes of dozens of other people. It only takes one click to infiltrate your data.

2. Report a suspicious email right away.

Make sure your team is willing to report suspicious messages immediately. As soon as one is reported, your security team can jump into action to block the domain and any outbound connections.

3. Use endpoint protection and keep it updated.

Regularly updated endpoint protection provides security for company servers and workstations.

4. Scan in real time.

This is one of the best methods for protecting against hackers. Several tools are available to scan incoming messages in real time and filter as many suspicious messages as possible.

5. Have a good backup strategy.

This is one of the most important actions you can take. If you don’t have good backup data, you’re at the mercy of cyber criminals. When your data is updated and safe, you don’t have to pay criminals to decrypt your information and get your data back. Without a good strategy, you’re in the unfortunate position of being exactly where they want you—especially if your data is critical to patient care.

6. Implement the principle of least privilege.

This security objective means that workforce members have the level of access they require to perform their job functions and no more. If elevated privileges are required, they should be given an additional account to use when performing those functions that are not to be used for day to day administrative functions. This is key to enhancing the protection of data and information assets.

If you can implement these best practices in your organization, you’ll be in a better position to protect your information. And when it comes to researching and purchasing software products, it’s critical to look for providers that take security seriously by implementing controls in the development of products. One simple way to check is to look for products that have been certified by the Office of the National Coordinator for Health Information Technology (ONC). This certification means the product has been third-party tested and passes ONC’s standards.


William R. Crank is the chief information security officer and sr. director of networking and information security at MEDHOST. He has 20 years of combined information security and network leadership, management and operations experience. He is retired United States Navy with 25 years of leadership/management experience with varying team and department sizes and responsibilities indicative of his ability to adapt, be successful and highly effective in any environment.