Health Information Technology   Cybersecurity  

Introduction

An increase in cyber threats is causing health care organizations to take a broader approach to assessing cybersecurity readiness, including response and recovery protocols to help mitigate the impact of a cyber-attack. There are many impacts of a cyber-attack that can affect an organization’s daily operations, reputation, and finances. Cyber-attacks can cause disruptions in accessing electronic health record systems and compromise functioning of networked medical devices. Cyber-attacks can create consumer fear about the security of their personal health information and damage to an organization’s reputation[1]. When a patient’s health information is stolen during a cyber-attack on a health care organization, this information can be used to steal a patient’s identity and commit fraud for years[2]. Cyber-attacks also have financial consequences for a health care organization associated with recovery, such as fines, attorney fees, insurance premium increases, and cost to recover and repair health information systems and information, as well as implement corrective actions to prevent future attacks[3].

Cyber-attacks are likely to increase with expanded use of electronic health information. Security practices utilized by health care organizations tend to be less sophisticated when compared to other industries, such as the financial sector. As part of advancing health IT statewide, MHCC seeks to assist health care organizations with identifying and managing cyber threats. The MHCC developed a tool and information briefs, and has held Cybersecurity events for health care organizations to increase cybersecurity education and awareness. The MHCC has also worked to identify existing industry resources and best practices to assist organizations with managing cybersecurity at their organization.

Resources

MHCC

Cybersecurity Flyer (2018)

Health Care providers are susceptible to cyber attacks that can disrupt operations and result in financial cost and reputational harm.  Minimizing cyber risks is essential.  This flyer provides some practical steps practices can take to improve security. 

Cybersecurity Self-Assessment Readiness Tool (2018)

The Cybersecurity Self-Assessment Readiness Tool (tool) is designed to assist health care organizations with assessing cybersecurity readiness.  The tool consists of self-evaluation statements grouped by people processes, policies, and technology.  These statements align with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF).  The NIST CSF is recognized as a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level.  The MHCC encourages health care organizations to use the tool to improve awareness of potential gaps in cybersecurity.  We encourage users to provide feedback about the value in using the tool for future enhancements.  A brief survey is available at the following link:  www.surveymonkey.com/r/CSSAToolFeedback

Health Care Data Breaches:  2017 Findings (2018)

The MHCC analyzed health care data breaches reported in 2017 to the Deparment of Health & Human Services Office for Civil Rights.  The report assesses the number of breaches reported and records compromised, and key trends in Maryland and the nation. 

Health Care Data Breaches:  How Maryland Compares (2017)

The MHCC analyzed health care breaches reported to the Department of Health & Human Services Office for Civil Rights from 2013 through 2016.  This report presents Maryland's ranking in relation to other states and provides a more detailed evaluation of records compromised and location of breached information. 

Health Care Data Breaches:  A Changing Landscape (2017)

The MHCC analyzed health care breaches reported to the Department of Health & Human Services Office for Civil Rights from 2010 through 2016.  This information brief discusses the increasing prevalence of health care breaches, and includes recommendations on enhancing security processes to prepare for and mitigate the effects of new and evolving cyber threats. 

Hospital Cybersecurity: Evolving Threats Require New Approaches (2016)

HIMSS has introduced a research program to assess health care organizations' experience with cybersecurity across the nation.

National

National Institutes of Standards and Technology Cybersecurity Framework

In 2013, a federal Executive Order entitled, Improving Critical Infrastructure Cybersecurity (order), called for the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is recognized as a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level, regardless of size, degree of risk, or experience.

Top 10 Tips for Cybersecurity in Health Care

Developed by Health IT.gov to help small health care practices apply cybersecurity and risk management principles.

American Hospital Association

The American Hospital Association has a list of cybersecurity resources to help hospitals prepare and manage cybersecurity risks.

2017 HIMSS Cybersecurity Survey

HIMSS has introduced a research program to assess the health care organizations experience with cybersecurity across the nation.

Report on Improving Cybersecurity in the Health Care Industry

The Health Care Industry Cybersecurity Task Force's report to Congress, which highlights six high-level imperatives and associated recommended action items to make improvements in cybersecurity practices in the health care industry.

Symantec Cybersecurity in Healthcare: Why It’s Not Enough, Why It Can’t Wait

Provides an overview of the consequences of cyber-attacks and data breaches on the health care industry.

Cybersecurity Events

Cybersecurity Lunch & Learn Webinar

As part of Cybersecurity Awarenesss Month in October, the Maryland Health Care Commission is hosting a Back to Basics Cybersecurity Lunch and Learn Webinar on Thursday, October 25th from 12:00 pm to 1:00 pm EDT in collaboration with the Maryland Department of Commerce and Mokxa Technologies.  Small practices are encouraged to learn about practical, cost-effective steps that can reduce risk from threats like ransomware.  Also, learn about a new Maryland cybersecurity tax credit, and a free cybersecurity self-assessment tool.  More information on is available here.  To register, click here.

Hospital Cybersecurity Symposium

The MHCC in collaboration with the Healthcare Information Management Systems Society Maryland Chapter (MD HIMSS), the Maryland Hospital Association (MHA), and the Health Services Cost Review Commission (HSCRC) convened a Hospital Cybersecurity Symposium (symposium) on September 7, 2016. The symposium included presentations by industry leaders who shared insights about the impact of evolving cyber threats and shared best practices for risk management, including vendor accountability and cyber liability insurance.

Health IT User Education Roundtable: A Best Practices Symposium

In collaboration with MD HIMSS, the MHA, and HSCRC, staff convened a Health IT User Education Roundtable: A Best Practices Symposium (symposium) on March 27, 2017. Industry leaders gathered to discuss end-user behavior and knowledge gaps that directly impact health care security. Presenters shared best practices based on real-life scenarios for improving security and reducing human error.  



______________________________________

1.CSO. A deeper look at business impact of a cyberattack, August 2016. Available at: http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html.
2.Symantec. Cybersecurity in Healthcare: Why It’s Not Enough, Why It Can’t Wait. Available at: https://www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study-en.pdf.
3.CSO. A deeper look at business impact of a cyberattack, August 2016. Available at: http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html.
4.Anderson, M. Technology Device Ownership: 2015. Pew Research Center: Internet, Science, and Tech. October 29, 2015. Available at: http://searchsecurity.techtarget.com/news/2240219483/FBI-notice-Healthcare-security-not-as-mature-as-other-verticals.

Last Updated: 9/24/2018