Cybersecurity guidance targets medical records strategies
New guidance from the American Health Information Management Association offers 17 steps toward building a comprehensive cybersecurity plan that addresses not only the information technology department but a range of other stakeholders.
The effort aims to increase organization-wide awareness of security weaknesses and to reassess information management strategies that put data at risk.
“Governance of information shifts the focus from technology to people, processes and the policies that generate use, and manage the data and information required for care,” says Kathy Downing, director of practice excellence at AHIMA with 15 years of experience in HIM and as a privacy officer in provider facilities.
The first step is to conduct a risk analysis of all applications and systems, even those containing no protected health information, as any app or system can be compromised and used to launch attacks on other systems on the same network. Potential targets for cyberattacks might include biomedical devices, mobile devices and legacy systems.
Record retention should be seen as a cybersecurity issue, Downing advises. Avoid storing and maintaining records beyond retention requirements. “In the era of big data, the idea of keeping everything forever must end,” she asserts.
Patch systems immediately when updates are available, adopt user ID behavior monitoring and encrypt high-risk workstations, laptops, smartphones, tablets, portal media and backup tapes, she advises.
To improve identity and access management, implement “time of day” restrictions to ensure a computer used by one person with access privileges is not later used by someone else without privileges.
Other steps, according to Downing, include blocking email traffic from a newly created domain, as that is a gateway to a phishing attack. In addition, providers should consider outsourcing audit logs to a Managed Security Service Provider.
In presenting a security presentation to executives, Downing advises that security pros should be prepared for five specific questions:
* How are we doing compared with similar organizations of our size?
* Who is in charge of our cybersecurity program?
* What are we doing to reduce our risk of an attack?
* How and when will the board be notified if there is a cyber breach?
* Do we have cyber insurance?
The complete guidelines are available here, as well as a glossary of security terms.