通过防止网络攻击保护患者数据

医疗机构数据泄露的威胁令人生畏. 隐私是医院信息系统的基础, and compliance with the Health Insurance Portability and Accountability Act (HIPAA)– along with the facility’s reputation–will be jeopardized if just one patient’s information falls into the wrong hands. 卫生保健设施成为特别目标有两个原因:

• 存储的数据类型: 卫生保健机构可以保留病人的社会安全号码, 保险和财务账户数据, 出生日期, Name, 帐单地址, 电话号码, 使他们成为网络攻击的重要目标.
• 许多潜在的漏洞: Health care facilities are obligated to provide access to several external networks and web applications in order to stay connected with patients, 员工, 保险公司或业务伙伴. 共享的数据量代表着一种风险.

它要便宜得多, 从财务和声誉的角度来看都是如此, to prevent a cyber breach than to notify individuals and the Department of Health and Human Services of a breach as required by the Health Information Technology for Economic and Clinical Health Act (HITECH). 结果是, 政府必须通过预防来应对, detecting and responding to cyber attacks or mis使用 of patient records through a well-orchestrated cybersecurity program. 

有哪些风险??

The first step in protecting your business is to recognize the parts of your processes that are prone to cyber attack. 

应用和系统: External applications and systems are ripe for improper access to sensitive patient data. Since administrators do not have complete control over the security of external applications, 设施应定期执行web应用程序安全性测试.

软件缺陷: 软件和计算机系统的弱点吸引了黑客和入侵者. The results of this cyber risk can range from minimal mischief-such as creating a virus with no negative impact-to malicious activity-stealing or altering information. Intrusion prevention and detection systems can alert you of cyber attacks and allow you to respond in real time. 

恶意代码(病毒、蠕虫和特洛伊木马): 有多种类型的恶意代码可以使您的组织处于危险之中:

• Vir使用s: This type of code requires that the 使用r take an action before it can infect your system, 例如打开电子邮件附件或访问特定网页.
• 蠕虫:此代码在没有用户干预的情况下传播系统. 他们通常从利用软件缺陷或弱点开始. Once the victim’s computer is infected, the worm will attempt to find and infect other computers.
• Trojan horses: This code is software that claims to be one thing while it is acting differently behind the scenes (for example, a program that claims to speed up your computer system but is actually sending confidential information to a remote intruder).

 实施防止这些攻击的系统, including firewalls and regular security controls is essential to protecting sensitive data.

没有加密的电子邮件: HIPAA guidelines require that some email communications with physicians’ offices and hospitals be encrypted to protect patient information. Since most communication is now electronic, monitoring these means is especially important.

内幕: Current or former 员工 ranging from billing clerks to clinicians should understand that the consequences for consulting patient records without a valid ca使用 can range from serious punishment to termination. 员工通常只是好奇, 只有严格的策略才能有效防止这种类型的数据丢失. 许多设施都实现了日志监视, 为此，定期审查访问敏感患者数据的日志.

物理信息丢失: 另一个潜在风险是丢失或被盗的笔记本电脑, 哪些导致患者或员工的个人信息丢失.

以防出现安全漏洞, HITECH calls for notification of the individuals concerned and Health and Human Services (HHS) in a short time span.

风险管理

在HHS或HIPAA突击检查的情况下, facilities must prove that they are compliant with all regulations and requirements outlined in HIPAA and HITECH.

To reduce your facility’s cyber risks, it is wise to develop a comprehensive risk management plan. Risk management solutions utilize industry standards and best practices to assess hazards from unauthorized access, 使用, 信息披露, 中断, 修改或破坏你们工厂的信息系统. 之后, 定期进行安全风险评估, which will give you a better understanding of the risks posed to your protected health information and personally identifiable information outlined in these two acts.

You should also examine the controls in place at your facility to ensure they are sufficient for regulatory requirements. Executing this process helps your organization remain in compliance and demonstrates diligence and a commitment to compliance in the case of an audit. 

在实施风险管理策略时，应考虑以下几点:

• 创建一个正式的, 涉及范围的文件化风险管理计划, 角色, 责任, 执行网络风险评估的合规标准和方法. This plan should include a characterization of all systems 使用d at the organization based on their function, 存储和处理的数据以及对设施的重要性.

Perform security risk assessments at least on an annual basis and update it whenever there are significant changes to your information systems or the facilities where systems are stored, or when there are other changes that may impact the vulnerability of the organization.  

选择ISP

除了, your organization should take precautionary measures when selecting an internet service provider (ISP), 哪个提供上网服务, 网站托管和其他服务. 选择最能降低网络风险的ISP, 考虑安全级别, 它提供了隐私和可靠性.

转移风险

网络安全是所有卫生保健机构的一个严重问题. 联系 your agent to learn about available risk management resources and insurance solutions such as internet and media liability, 安全和隐私责任, 今天还有身份盗窃保险.

This Risk Insights is not intended to be exhaustive nor should any discussion or opinions be construed as legal advice. Readers should contact legal counsel or an insurance professional for appropriate advice. ©2015 Zywave, Inc. 版权所有.