Protecting Patient Data by Preventing Cyber Attacks

The threat of a data breach in a health care facility is daunting. Privacy is the foundation of hospitals’ information systems, 如果一个病人的信息落入坏人之手，对《美高美集团4688》(HIPAA)的遵守以及医疗机构的声誉都将受到损害. Health care facilities are particular targets for two reasons:

• Type of data stored: Health care facilities may keep a patient’s social security number, insurance and financial account data, birth date, name, billing address, and phone number, making them a valuable target for cyber attack.
• Many potential vulnerabilities: 医疗机构有义务提供对多个外部网络和web应用程序的访问，以便与患者保持联系, employees, insurers or business partners. The volume of data shared represents a risk.

It is much less costly, both from a financial and reputational point of view, 而不是按照《美高美集团4688》(HITECH)的要求通知个人和卫生与公众服务部. As a result, administration must respond by preventing, 通过精心策划的网络安全计划检测和应对网络攻击或滥用患者记录. 

What are the Risks?

保护业务的第一步是识别流程中容易受到网络攻击的部分. 

Applications and systems: 外部应用程序和系统很容易对敏感的患者数据进行不当访问. 因为管理员不能完全控制外部应用程序的安全性, facilities should perform web application security testing on a regular basis.

Software flaws: Weaknesses in software and computer systems attract hackers and intruders. 这种网络风险的结果可以从最小的恶作剧(例如创建没有负面影响的病毒)到恶意活动(窃取或更改信息)不等. 入侵防御和检测系统可以提醒您网络攻击，并允许您实时响应. 

Malicious code (viruses, worms and Trojan horses): There are a various types of malicious code that can put your organization at risk:

• 病毒:这种类型的代码需要用户采取行动才能感染您的系统, such as open an email attachment or go to a particular webpage.
• Worms: This code propagates systems without user intervention. They typically begin by exploiting a software flaw or weakness. 一旦受害者的计算机被感染，蠕虫将试图找到并感染其他计算机.
• 特洛伊木马:这种代码是一种软件，它声称是一回事，但在幕后却有不同的行为, (这个程序声称可以提高你的计算机系统的速度，但实际上是在向远程入侵者发送机密信息).

 Implementing systems of preventing these attacks, 包括防火墙和常规安全控制对于保护敏感数据至关重要.

Email lacking encryption: HIPAA指南要求对医生办公室和医院之间的一些电子邮件通信进行加密，以保护患者信息. 由于现在大多数通信都是电子的，监测这些手段就显得尤为重要.

Insider attack: 从记帐员到临床医生的现任或前任雇员都应该明白，无正当理由查阅病人记录的后果可能是严重处罚到解雇. Often employees are simply curious, and only a severe policy can effectively prevent this type of data loss. Many facilities implement log monitoring, for which logs of access to sensitive patient data are regularly reviewed.

Physical loss of information: Another potential risk is that of lost or stolen laptops, which lead to missing personal information related to patients or employees.

In the event of a security breach, HITECH要求在短时间内通知有关个人和卫生与公众服务部(HHS).

Risk Management

In the case of a surprise HHS or HIPAA inspection, 工厂必须证明他们符合HIPAA和HITECH中概述的所有法规和要求.

为了降低企业的网络风险，制定一个全面的风险管理计划是明智的. 风险管理解决方案利用行业标准和最佳实践来评估未经授权访问的危害, use, disclosure, disruption, modification or destruction of your facility’s information systems. Thereafter, perform regular security risk assessments, 哪一个会让你更好地理解这两个法案中概述的对你受保护的健康信息和个人身份信息构成的风险.

您还应该检查工厂的控制措施，以确保它们足以满足法规要求. 执行此过程有助于您的组织保持合规性，并在审核的情况下展示勤奋和对合规性的承诺. 

Consider the following when implementing risk management strategies:

• Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. 该计划应包括组织所使用的基于其功能的所有系统的特征, the data stored and processed and importance to the facility.

至少每年进行一次安全风险评估，并在信息系统或存储系统的设施发生重大变化时进行更新, 或者当存在可能影响组织脆弱性的其他更改时.  

Selecting an ISP

In addition, 你的机构在选择互联网服务供应商(ISP)时应采取预防措施。, which provides access to the internet, website hosting and other services. To select the ISP that will best reduce your cyber risks, consider the level of security, privacy and reliability it offers.

Transferring the Risk

Cybersecurity is a serious concern for all health care facilities. 联系你的代理人，了解可用的风险管理资源和保险解决方案，如互联网和媒体责任, security and privacy liability, and identity theft insurance today.

本风险洞察并非详尽无遗，任何讨论或意见也不应被视为法律建议. 读者应联系法律顾问或保险专业人士以获得适当的建议. © 2015 Zywave, Inc. All rights reserved.