Welcome to our Blog page. Here, you can read our firm’s latest blog posts about timely tax, accounting and audit issues.

A Threat-Based Approach to Health Care Cybersecurity

Posted by Jason Cope, CPA on Oct 29, 2018 8:48:00 AM
As healthcare consumers increasingly adopt technology to gain greater access to their personal medical records and wellness tracking, what are the cyber risks associated with data sharing? If organizations in the business of consumer health are to continue innovations around patient care that enable data-sharing, there must be a way to safely store patient data and protect their privacy.

Digital attackers continued to prey upon healthcare organizations throughout 2018, with 176 large-scale data breaches in the first half of the year. A July 2018 Bloomberg reports that cybersecurity breaches among healthcare providers and government agencies have exposed sensitive data from hundreds of thousands of people in the U.S., leaving the industry scrambling to defend against more attacks.

Threat-Based Cybersecurity

According to a recently released BDO report: Implementing Threat-Based Cybersecurity to Secure Patient Care Innovation, threat-based cybersecurity is a forward-thinking, predictive approach that concentrated investments in the most likely risks and attack vectors based on a company’s unique threat profile. This approach is a departure from focusing solely on protecting critical assets or using a generic cyber program.

The BDO report outlines eight steps healthcare organizations can take to effectively detect and respond to risks. They include:

  1. Bolster their access controls – technical policies and procedures to ensure only authorized employees have access to protected health information (PHI) via Electronic Health Records (EHR), and personal identifiable information (PII)—and be more stringent top whom they grant access.
  2. Implement stronger audit controls – to track and identify internal and external access to and exploration of information systems that contain PHI and PII.
  3. Strengthen intrusion detection systems (IDS) – to more accurately monitor traffic moving throughout their email, network, and information system endpoints to identify suspicious activity and clear threats in real time.
  4. Make top-down personnel education a priority for everyone (from the Board of Directors to the C-Suite, managers, and employees) – to ensure all individuals with access to an organization’s networks, medical devices and data understand their roles and responsibilities in defending against cyber threats.
  5. Create an internal and external crisis communications plan – to align with existing enterprise risk management frameworks (i.e., HIPAA, HITRUST, NIST, etc.).
  6. Implement cyber insurance claims preparedness and adequate coverage – to identify and quantify incurred event response costs for inclusion in an insurance claim.
  7. Create an incident response plan – to include the participation of organization leadership and key personnel from all technology, business, administration, and clinical functions.
  8. Develop and test a Business Continuity Plan (BCP) – in order to have real information resilience it is vital to have an effective information back-up capability which is able to quickly replace any data loss. 

Source: BDO 

To learn more about how your healthcare organization can develop and maintain a comprehensive cyber threat profile, the types of breaches and location of breached information, read the full report.

 If you have any questions about this topic, contact Jason Cope at 214-635-2508 or use the contact form below.

Note: This content is accurate as of the date published above and is subject to change. Please seek professional advice before acting on any matter contained in this article. 

Topics: Medical