A guide published by the American Health Management Association (AHIMA) aims to help healthcare organizations create a comprehensive cybersecurity plan. It is necessary for healthcare organizations to develop and maintain an organization-wide framework that manages information – from creation to safe and secure disposal. This plan is termed information governance or IG.
Everyday more than one healthcare data breach occurs according to the Protenus and Databreaches.net monthly healthcare data breach reports. With the real threat of cybersecurity today, healthcare organizations really need to develop an IG program. VP Kathy Downing of Information Governance, Informatics, Privacy and Security at AHIMA confirms that IG is a vital element now in healthcare organizations where cyberattacks are experienced everyday.
The Healthcare Industry Cybersecurity Taskforce (HCIC) June 2017 report stated that “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical and nonclinical leaders.” The AHIMA IG Adoption Model focuses on people, processes and technology. It touches on ten competency areas: privacy and security, enterprise information management, legal and regulatory requirement, IT and data governance and security awareness and adherence.
To have an effective IG program, AHIMA recommended 17 actions in its guide that healthcare organizations can do to create a cybersecurity plan.
1. Do an organization-wide risk analysis of all applications and systems
2. Identify health record retention as a cybersecurity issue
3. Fix all vulnerable systems and update software and operating systems
4. Use advanced endpoint detection systems in combination with standard antivirus and anti-malware tools.
5. Employ data encryption on workstations, tablets, smartphones and portable media
6. Improve access management and identity controls
7. Block bad traffic using web filters
8. Use mobile device management
9. Have an incident response plan
10. Keep track of audit logs to detect signs of possible attacks
11. Employ intrusion detection systems
12. Assess business associates
13. Conduct penetration tests using third-party firms
14. Conduct phishing simulation exercises to improve anti-phishing controls
15. Make a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
16. Adopt a ‘Defense in Depth’ strategy
17. Detect and stop intrusions or cyberattacks
Having a cybersecurity plan can help organizations be ready for cyberattacks and avoid expensive data breaches. But it is only the start as the threat landscape constantly changes. Healthcare organizations need to adjust and revise cybersecurity plans as needed.