Health Information Technology   Cybersecurity  

Introduction

An increase in cyber threats is causing health care organizations to take a broader approach to assessing cybersecurity readiness, including response and recovery protocols to help mitigate the impact of a cyber-attack. There are many impacts of a cyber-attack that can affect an organization’s daily operations, reputation, and finances. Cyber-attacks can cause disruptions in accessing electronic health record systems and compromise functioning of networked medical devices. Cyber-attacks can create consumer fear about the security of their personal health information and damage to an organization’s reputation[1]. When a patient’s health information is stolen during a cyber-attack on a health care organization, this information can be used to steal a patient’s identity and commit fraud for years[2]. Cyber-attacks also have financial consequences for a health care organization associated with recovery, such as fines, attorney fees, insurance premium increases, and cost to recover and repair health information systems and information, as well as implement corrective actions to prevent future attacks[3].

Cyber-attacks are likely to increase with expanded use of electronic health information. Security practices utilized by health care organizations tend to be less sophisticated when compared to other industries, such as the financial sector[4]. As part of advancing health IT statewide, MHCC seeks to assist health care organizations with identifying and managing cyber threats. The MHCC developed a tool and information briefs, and has held Cybersecurity events for health care organizations to increase cybersecurity education and awareness. The MHCC has also worked to identify existing industry resources and best practices to assist organizations with managing cybersecurity at their organization.

Resources

MHCC

Cybersecurity Self-Assessment Readiness Tool

The MHCC developed a Cybersecurity Self-Assessment Readiness Tool (tool) to assist health care organizations with assessing cybersecurity readiness. The tool consists of self-evaluation statements grouped by people, processes, policies, and technology. These statements were developed using elements from the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is recognized as a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level.

Hospital Cybersecurity: Evolving Threats Require New Approaches (2016)

In the spring of 2016, MHCC conducted an assessment of hospital cybersecurity inquiring about hospital efforts to prepare for and manage cyber risks. All acute care hospitals participated in the assessment. This information brief highlights key findings from the assessment.

National

National Institutes of Standards and Technology Cybersecurity Framework

In 2013, a federal Executive Order entitled, Improving Critical Infrastructure Cybersecurity (order), called for the development of the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF). The NIST CSF is recognized as a set of optional standards, best practices, and recommendations for improving cybersecurity at the organizational level, regardless of size, degree of risk, or experience.

Top 10 Tips for Cybersecurity in Health Care

Developed by Health IT.gov to help small health care practices apply cybersecurity and risk management principles.

American Hospital Association

The American Hospital Association has a list of cybersecurity resources to help hospitals prepare and manage cybersecurity risks.

2016 HIMSS Cybersecurity Survey

HIMSS has introduced a research program to assess the health care organizations experience with cybersecurity across the nation.

Report on Improving Cybersecurity in the Health Care Industry

The Health Care Industry Cybersecurity Task Force's report to Congress, which highlights six high-level imperatives and associated recommended action items to make improvements in cybersecurity practices in the health care industry.

Symantec Cybersecurity in Healthcare: Why It’s Not Enough, Why It Can’t Wait

Provides an overview of the consequences of cyber-attacks and data breaches on the health care industry.

Cybersecurity Events

Hospital Cybersecurity Symposium

The MHCC in collaboration with the Healthcare Information Management Systems Society Maryland Chapter (MD HIMSS), the Maryland Hospital Association (MHA), and the Health Services Cost Review Commission (HSCRC) convened a Hospital Cybersecurity Symposium (symposium) on September 7, 2016. The symposium included presentations by industry leaders who shared insights about the impact of evolving cyber threats and shared best practices for risk management, including vendor accountability and cyber liability insurance.

Health IT User Education Roundtable: A Best Practices Symposium

In collaboration with MD HIMSS, the MHA, and HSCRC, staff convened a Health IT User Education Roundtable: A Best Practices Symposium (symposium) on March 27, 2017. Industry leaders gathered to discuss end-user behavior and knowledge gaps that directly impact health care security. Presenters shared best practices based on real-life scenarios for improving security and reducing human error.  



______________________________________

1.CSO. A deeper look at business impact of a cyberattack, August 2016. Available at: http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html.
2.Symantec. Cybersecurity in Healthcare: Why It’s Not Enough, Why It Can’t Wait. Available at: https://www.symantec.com/content/dam/symantec/docs/infographics/symantec-healthcare-it-security-risk-management-study-en.pdf.
3.CSO. A deeper look at business impact of a cyberattack, August 2016. Available at: http://www.csoonline.com/article/3110756/data-breach/a-deeper-look-at-business-impact-of-a-cyberattack.html.
4.Anderson, M. Technology Device Ownership: 2015. Pew Research Center: Internet, Science, and Tech. October 29, 2015. Available at: http://searchsecurity.techtarget.com/news/2240219483/FBI-notice-Healthcare-security-not-as-mature-as-other-verticals.

Last Updated: 6/13/2017