Cybersecurity
Bracing against the breach
by Jeff Woodham

When it comes to cybersecurity in the home medical equipment (HME) space, the top three things providers need to understand are the risks to their organizations and patients, their technical threats and vulnerabilities, and how to improve their cybersecurity posture. Let’s take a deep dive into all three.

Cyber Risks for HME Providers

First, let’s explore the ways that cybercriminals can cause harm to HME providers and their patients. Unfortunately, there’s no shortage of reasons why HME providers should take their organization’s cybersecurity very seriously. Here are a few of the top motivators.

Cost

Health care’s cyber risk landscape is treacherous. Many people don’t realize how valuable health care data is to cybercriminals.

Patient information can be sold on the dark web at a higher cost than information from any other industry. This is because health care data can be used for long periods of time to create new identities, secure medical products for resale and even establish new credit.

Additionally, the costs of breach notification expenses, ransomware payments, and infrastructure repairs or rebuilds can be financially disastrous for those companies affected.

With health care experiencing more ransomware attacks than any other industry and the high cost of data breaches, HME providers simply cannot afford to overlook the importance of having adequate cybersecurity precautions in place.

Information

It’s not all about the dollars. The data protected by proper risk management measures is just as important. The four major Health Insurance Portability and Accountability Act (HIPAA) rules are a clear indication of the importance of data protection:

  • HIPAA Privacy Rule: Standards for the usage and disclosure of protected health information (PHI) for covered entities
  • HIPAA Security Rule: Standards for ensuring the security and integrity of PHI and its electronic counterpart, ePHI; this applies to both covered entities and business associates
  • Omnibus Rule: HIPAA compliance enforcement for business associates; standards for business associate agreements (BAAs), which are mandatory for organizations that share PHI
  • HIPAA Breach Notification Rule: Policies covered entities and business associates must follow in the event of a data breach

The more airtight an organization’s cybersecurity measures are, the more easily it can comply with the major HIPAA rules, further protecting the company, its patients and their partners.

Safety

The new identities that can result from compromised PHI can create confusion around treatment history, medication records, etc.—all of which could create delays in treatment or even improper treatment for patients. Inaccurate treatment and medication history can put patients’ safety at risk. If medical products are stolen and resold as well, the risks extend beyond direct patients into the general public.

HME providers also need to take extra precautions to protect employee data such as social security numbers and payroll information. Providers also need to protect organizational data, including bank accounts and credit card numbers. If an HME provider experiences a breach and employee or organizational data becomes public or is used by cybercriminals, the organization could suffer the impacts of fraud, identify theft, cybertheft and public image damage.

Resolutions for Common Threats

Several areas within an organization’s technology landscape need to be protected to ensure proper risk management. Similarly, several basic steps can be taken to greatly increase protection against cybercriminals, particularly when it comes to these common threats and vulnerabilities. Here are some of the most common entrance points for cybercriminals and tactics for addressing them:

Threat: Internet Connection & Outdated Systems

All inbound and outbound digital information has the potential to be compromised in the absence of protective edge connection devices like firewalls. Even
with these protections in place, if cybercriminals can gain administrative access, the connection can still be penetrated. It’s important to have business- or enterprise-level protection at the edge of the internet connection.

Additionally, outdated operating systems (OS), anti-virus and malware tools, and applications like Microsoft Outlook and Office mean known points of exploitation haven’t been patched. Keeping servers and workstations patched and up to date is a best practice for organizational protection.

Resolution: Managed IT Services

To help secure an organization’s internet connection, either internal or outsourced managed information technology (IT) services are critical. Devices like firewalls, switches, routers and wireless access points should all be properly configured and secured; anti-virus and malware programs should be implemented to maximize coverage; server log analytics should be captured, reviewed and acted on; and OS patches for servers, desktops and mobile devices should be kept up to date.

It’s also best practice to employ a 3-2-1 backup policy in the event data is breached. That means making sure in every case there are three copies of data (one in production and two backups), two different backup types (disk, USB, tape, etc.) and one copy offsite for disaster recovery.

Threat: Credentials

Without complex password policies, multi-factor authentication and/or control over third-party and vendor access, an organization’s environment is vulnerable to easy incursion by bad actors.

Resolution: Multi-Factor Authentication

The bottom line is that a username and password are not sufficient for safeguarding access to an HME provider’s environment. Multi-factor authentication is a simple way to add multiple layers of protection and typically involves one of three types of information: something you have (mobile device), something you know (the answer to a question) and/or something you are (a fingerprint).

Threat: End Users & Working From Home

Eighty-one percent of health care cybersecurity incidents can be attributed to employees whose devices are not controlled by the organization, whose web traffic isn’t filtered, who fall for phishing scams that lead to ransomware or who demonstrate other negligent digital behavior—often unknowingly.

Furthermore, when employees work remotely, the organization runs the risk of losing control over cybersecurity efforts due to the use of personal devices with improper tools or with only insufficient consumer-grade protection.

Resolution: Awareness & Training, Phishing Simulation, Policies & Procedures

At a minimum, employee onboarding must include cybersecurity education that should be refreshed annually. The effectiveness of this training should be assessed and adjusted regularly to ensure employees understand the risks and are doing their part to help the organization mitigate them.

Additionally, HME providers should regularly pressure test end user digital behavior via phishing simulation campaigns. These simulations can be further reinforced with extra awareness training for users who fail the test.

The ability to report on the failure rate, remediate the behavior and report on whether the failure rate decreases over time is a great way to measure the effectiveness of the training.

Finally, a sanction policy can enforce disciplinary actions when employees fail to comply with those policies.

Adequate protection against these common vulnerabilities goes a long way toward enhancing an organization’s cybersecurity posture. Cybersecurity
and cyber risk management are a continuous process—they are not one-time, one-off projects.

The statistics show that most organizations have experienced or will experience some sort of cyberattack. It’s important for HME providers to understand the risks these attacks pose to their organizations and patients, the associated technical threats and vulnerabilities and how to improve their overall cybersecurity posture.



Jeff Woodham is the vice president of operations for Mandry Technology Solutions, an IT managed services provider in Texas. He is a certified Healthcare Information Security & Privacy Practitioner (HCISPP) with expertise in HIPAA privacy and security regulation. Reach him at jwoodham@mandrytechnology.com or (806) 791-3661.