Top mid-year cybersecurity trends for primary care organizations
Technology must be protected to maintain its integrity, regardless of what the technology’s purpose may be. No industry is immune to cyberattacks and, in fact, the healthcare field may be the most vulnerable, given the sensitive nature of the protected health information (PHI) maintained by technology such as electronic health records (EHRs). A number of experts in technology and in healthcare have revealed what they believe to be the top mid-year cybersecurity trends for primary care organizations.
EHR software is critical for an independent primary care practice to manage patient records, communicate with patients and other providers, and properly care for each patient based on that patient’s accurate data and medical history. Understanding potential cybersecurity trends and how to protect against threats is imperative.
Experts recommend that healthcare providers be prepared with strong mitigation tactics, including communications plans, incident response plans, EHR software plans, and other response considerations. Medical device security is especially challenging in a digital age where many providers encourage patients to take advantage of wearable technology to monitor blood pressure, weight, and physical activity, among other important health-related data. Going forward, a robust threat model and a strengthened security architecture will be critical for independent practices.
The practice’s EHRs make patient data available to authorized users, so cybersecurity strategies must be focused on protecting that PHI. Learning about the EHR’s features, including security configurations, will help reassure the healthcare provider that they are functioning properly and are being updated when appropriate. Independent providers should work with their EHR vendor to make protecting patient data a top priority throughout the rest of 2022 and in the years to come. It is ultimately the responsibility of the provider, as the guardian of the patient’s PHI, to protect that information from cyber threats.
The Department of Health and Human Services Office of Information Security explained in a recent publication what all of this means for healthcare cybersecurity for 2022 and beyond, concluding that healthcare providers should:
- Continue to defend against phishing
- Training and employee awareness – current events can and do serve as themes for phishing campaigns
- Phishing test programs
- Gateway/mail server filtering
- Operationalization of indicators of compromise
- Lock down remote access technologies
- Virtual Private Networks and technologies leveraging the Remote Desktop Protocol should be operationally minimized
- Turn off services where they are not needed
- Limit services to only when they are needed
- Log and periodically review activity
- Update all tools as soon as updates are released
- Always apply the principle of least privilege
- Manage vulnerability
- Situational awareness begins with knowing your own infrastructure
- Develop and aggressively maintain enterprise asset inventory
- Must be systematic – comprehensive and repeatable
- Must have mechanisms of enforcement
- Maintain situational awareness of applicable vendor updates and alerts
- Develop repeatable testing, patching and update deployment procedures
- Understand the value of what the organization has to offer to the adversary
- Patient records/PII/PHI can be sold for a high price
- If you operate in such a way that you can be disrupted, then you can also be extorted
- Foreign countries may want/need your intellectual property
- Operate with resilience in mind
- High probability of compromise
- What will you do if it happens?
- Incident response
- Continuity of Operations (COOP)
The HHS’s most important guidance is for independent practices to think in terms of how you can be compromised by your suppliers, vendors, business partners, customers, and service providers. Moving through the rest of 2022 and beyond, situational awareness will continue to be more important, to guard against new threats with the appropriate cybersecurity protection.