Healthcare News & Insights

Why hospitals should share cybersecurity strategies

The number of threats to hospitals’ cybersecurity keeps growing. So how can your facility protect itself? 

178560689The answer  may not come from a government agency. In fact, your hospital may learn the most about how to prepare against cyberthreats from fellow providers, according to the National Institute of Standards and Technology (NIST).

The agency recently released some draft guidance about how providers can exchange information during and after cyberattacks with other organizations.

And it’s good timing because there are plenty of threats to patients’ protected health information (PHI) for hospitals to worry about.

Cybersecurity concerns

FierceHealthIT highlights three potential threats hospitals need to protect against.

For example, in the wake of the Community Health System breach earlier this year, the FBI warned that hackers around the world would be targeting providers and PHI.

Steve Gravely, a healthcare practice leader at the international law firm Troutman Sanders, warns the threat environment for providers has vastly changed in recent months. “No one’s system is hack-proof,” Gravely warns, “and a lot of hospitals haven’t done tabletop exercises to practice their response and crisis  communication in case of a large scale data breach, mainly because the risk was so low before.”

This is especially concerning because new cyberthreats, like Heartbleed and Shellshock, are constantly evolving and creating holes in facilities’ security for attacks.

Cloud storage also poses a potential cyberthreat, according to the article. Cloud vendors are one more target for hackers, and one that may not hold itself to the same security standards as providers. Gravely also warns that some hackers have broken into cloud storage systems with the help of insider information.

While not a “threat” to your cybersecurity exactly, if your organization has received Meaningful Use payments, you’ll still have to make sure your HIPAA compliance and cybersecurity are top notch. The Centers for Medicare & Medicaid Services (CMS) is auditing providers attesting meaningful use and will look for documentation of recent risk assessments. If CMS determines you haven’t met HIPAA compliance standards, you may be asked to return the meaninguful use payment.

Sharing defenses

These kind of issues are good examples about why facilities need to make HIPAA compliance and cybersecurity an active and ongoing task.

However, since there isn’t a cure-all to threats like new viruses, providers will need to rely on each other for warnings and best practices when dealing with cyberattacks. “[Providers] can learn the types of systems and information being targeted, the techniques used to gain access and indicators of compromise,” says Christopher Johnson, the chief author of the NIST guidance.

Specifically, the guidance addresses how to establish and maintain sharing relationships with other providers, as well as what information can be shared and how it should be sent.

Some of the key recommendations include:

  • Understanding your information inventory. Think about where critical information is kept, who owns it, when it should be shared. Consider factors like risk of disclosure.
  • Exchanging tools and techniques. Collaborate with your partners about creating or sharing adaptive, risk-informed practices and procedures, and
  • Using standard data formats to facilitate interoperability and fast information exchanges.

Subscribe Today

Get the latest and greatest healthcare news and insights delivered to your inbox.