Navigating Privacy & Security / Illuminating Informatics / Standards Strategies / Road to Governance
ments that can specifically assist healthcare providers in
thwarting cyberattacks include:
1. Perform (and re-perform) the security risk assessment ( 45 CFR 164.308(a)( 1)(ii)(A)). The HIPAA security
regulations require all covered entities and business
associates to conduct an accurate and thorough security risk assessment (SRA) wherein all of the potential
risks to the confidentiality, integrity, and availability
to one's electronic PHI are evaluated. HIPAA policies
and procedures are then crafted with specific risks
and vulnerabilities in mind to best protect data. HHS
provides tools for the security risk assessment, and it
is recommended that the security risk assessment be
done according to standards set forth by NIST (800-30
v2). The SRA should be done at least annually, and updated whenever there’s a breach. It is the cornerstone of
a HIPAA compliance program. Medical devices should
be included in the analysis.
2. Be sure to implement a remediation plan ( 45 CFR
164.308(a)( 1)(ii)(B)). The remediation plan grows out of the
SRA, and identifies which of the highest risk items in an
organization should be addressed first. Set deadlines to
complete these items and assign individuals as necessary
to ensure the tasks get done.
3. Install anti-malicious software updates and security
patches regularly ( 45 CFR 164.308(a)( 5)(ii)). Antivirus
software, software firewalls, and all software itself should be
installed with regular patching and blocking. Default logins
and passwords should be removed from I T systems, unnecessary services should be disabled, and ownership permissions set. For larger organizations, network vulnerability
scans on systems containing or accessing ePHI should occur, and intrusion detection software should be considered.
4. Have security incident response and reporting planning in place ( 45 CFR 164.308(a)( 6)(ii)). What is the course
of action for mitigating damage from a cyberattack? For
ransomware, it is recommended to immediately disconnect Wi-Fi and unplug the affected computer from the
network. Be sure to document response to any security
5. Be certain to have a workable contingency plan in place
to respond to the emergency of ransomware ( 45 CFR
164.308(a)( 7)(i)). This typically will mean having a way to
operate via a backup system, or using paper records while
the electronic health record (EHR) system is restored.
6. Have a data backup plan and be sure systems are backed
up with sufficient redundancies ( 45 CFR 164.308(a)( 7)(ii)
(A)). Having sufficient backups to find a “clean” backup that
will not be infected by the ransomware is helpful. This can create retrievable, exact copies of ePHI in the event of an emergency such as a ransomware attack. Backups should be kept
off premises (or cloud-based). Know in advance what critical
data will need to be restored quickly to remain operational.
7. Test and revise procedures ( 45 CFR 164.308(a)( 7)(ii)(D)).
Be sure to test revision procedures to ensure they work.
Each workforce member should understand their role in
the plan if a system goes down. Policies and procedures
should be revised as needed.
8. Provide the workforce with security awareness training ( 45 CFR 164.308(a)( 5)). Ransomware threat vectors
exploit the human element; every practice needs a training program that ensures everyone with access to ePHI
is trained in ways to reduce the risk of improper access,
use, and disclosure of ePHI. This includes information
on various forms of phishing and other cyber risks they
may encounter. Most ransomware gets installed by an
unsuspecting user clicking on phishing bait in an email.
Educate the workforce on these risks and be sure to keep
training logs and materials for the required six years. Ensure workforce members know what do to if a malicious
9. Manage passwords ( 45 CFR 164.308(a)( 5)(ii)(D)). Be sure
staff is not sharing passwords and have policies and procedures in place for creating, changing, and safeguarding
passwords. Users should know how to create and safeguard
a secure password. Password sharing, writing down of
passwords, and passwords known to others should be prohibited.
These items should already be part of HIPAA compliance
practices, but as threats evolve, each entity’s security risk
management plan must be re-evaluated with the new threat
landscape considered. It requires all healthcare professionals
to stay on their toes and keep up with evolving threats to ePHI
Having strong HIPAA compliance means updating security
risk assessments at least annually, whenever there’s a breach,
or when new threats to ePHI are identified. While it is hard to
stay abreast of all threats, it’s important to stay vigilant. Medical devices need to be assessed as part of a security risk assessment, and reassessed as threats change. Cybercriminals won’t
rest, and neither should we. ¢
1. Kawamoto, Dawn. “ 10 Medical-Device Wearables to Improve Patients’ Lives.” InformationWeek. January 12,
2. Haghi, Mostafa et al. “Wearable Devices in Medical Internet
of Things: Scientific Research and Commercially Available
Devices.” Healthcare Informatics Research 23, no. 1 (2017):
3. Enriquez, Jof. “Medjacking: How Hackers Use Medical Devices to Launch Cyber Attacks.” Med Device Online. June
10, 2015. www.meddeviceonline.com/doc/medjacking-