Article Highlights
- What is an information security policy?
- Benefits of information security policies in healthcare
- Examples of information security policies
- How to develop information security policies
In 2023, the number of healthcare ransomware attacks increased by 74% worldwide, compared to 2022. It's even worse in the US, where attacks against healthcare organizations rose 128% during the same period, causing delayed medical procedures, disrupted patient care, and more.
A brief by HealthcareDive highlights the impact of recent large-scale attacks:
“Major hospital chains like Ascension and CommonSpirit have been targeted, and a ransomware attack against UnitedHealth’s technology firm Change Healthcare disrupted key tasks like claims processing and payment across the healthcare sector.
“Attacks against providers can have potentially serious effects on care delivery, and it sometimes takes weeks for hospitals to fully recover…Ransomware can shut down electronic health records, delay scheduled procedures and force ambulances to divert to other facilities.”
With these recent (and increasing) attacks, it's critically important to improve information security for your healthcare facility. This starts with developing and implementing an information security policy.
What is an information security policy? It is the set of rules and guidelines that cover an organization’s digital operation, including who can access certain folders and documents, and procedures to avoid falling prey to healthcare cyberattacks.
This policy will cover every way in which your employees interact with technology, so it will need to be uniquely suited to your organization. It isn’t enough to simply take a boilerplate healthcare IT security policy and use it as your own.
In this article, we’ll explore in depth just what an information security policy is, and we’ll look at examples of healthcare information security policies. Finally, we’ll explore the process of creating your own policies, a task that is growing only more essential.
What is an information security policy?
An information security policy (ISP) is a guidebook or manual that establishes the procedures and rules that are designed to keep all users and networks safe within an organization. It explains the standards of IT security and data protection, and it lays out the actions that will maintain those standards.
While other healthcare policies cover patient care, health and safety, and other topics, information security policies purely focus on the digital landscape of your operation.
Modern healthcare facilities and systems use integrated technology throughout most of their operation, ranging from staff email accounts to secure patient data. A healthcare information security policy needs to cover all of this: secure data, systems, devices, infrastructure, data, and all users.
The purposes of an information security policy include:
- Establishing a plan around information security
- Creating documentation around security measures and user access control
- Using tools to detect the misuse of data or compromised networks or devices, and to minimize the impact
- Complying with legal and regulatory requirements, including HIPAA, NIST, GDPR, and FERPA
- Protecting patients’ private information, as well as their data including credit card numbers
- Establishing plans to respond to healthcare cybersecurity risks
These measures all help to keep your hospital safe, and to protect your patients and preserve your reputation.
Benefits of information security policies in healthcare
With so much of healthcare now existing digitally, from patient communication to scheduling to lab reports, you want your IT to run smoothly and consistently. Any problems in your operation can lead to delays or miscommunication.
There are also external threats, which pose even greater dangers.
Altogether, information security is a critical component of your ecosystem – one that needs to be protected proactively.
Protect against cyberattacks
Hospitals and healthcare facilities do life or death work. Your files and data are essential to the health and wellbeing of your patients. And if you’re forced to stop operating even for an hour, it can have costly impacts on those you treat.
Hackers are well aware of this. They know that if they can compromise your systems, you are likely forced to pay them off to protect your patients. And these hackers have no concerns about the lives they could potentially damage.
In 2020, ransomware attacks cost the healthcare industry $20.8 billion in downtime, which is twice as high as in 2019.
In these attacks, hackers use phishing efforts to get an employee to unwittingly download a file that will enable the hackers to take over a computer. And once given a foothold, they spread through the system, until they can take control over your servers. At that point, hackers encrypt the servers and demand payment to give control back to you.
At the St. Joseph’s Candler health system in Savannah, Georgia, a ransomware attack was detected quickly, but it still forced the staff to switch temporarily to paper records and to manually reschedule appointments.
"The truth is that there are a lot of advancements happening in the hacker side of it, how they can get access to those systems," said Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University. "It's really scary, right? It's evil."
According to an IBM report, most organizations are far slower to detect a breach, averaging about 280 days. Some healthcare systems went an entire year not knowing that they’d been hacked.
An effective ISP addresses this in two ways:
- It creates operational best practices that protect the organization from being hacked. This can include training for employees on how to recognize and avoid phishing schemes.
- It also prepares the organization to quickly detect any attack and to respond to the threat, while protecting the operation’s critical information.
While this is the biggest benefit to an information security policy, it isn’t the only one.
Creating Consistency
Much of your operation is likely now digital, and by adopting strong IT policies, you give your staff the tools they need to be consistent in this side of operations. That benefit will extend to your patients, as consistency within the staff leads to consistency in the patient experience.
Increasing Compliance
Health data is protected by HIPAA and several other laws and guidelines at the federal and state levels. These standards require you to have strong security around private patient information.
By proactively creating a strong healthcare information security policy, you are keeping yourself in compliance with those standards. This also makes the compliance process more efficient, allowing you to focus on other necessary work.
Examples of information security policies
As you consider your own IT security needs, you can start by looking at some information security policy examples from other healthcare providers.
A good first stop is the Office of the National Coordinator for Health Information Technology, which provides an information security policy template that is specifically created for hospitals.
Note that these policies don’t have to be extensive. They simply must be written clearly and efficient, making them easy for employees to consume and comprehend.
How to develop information security policies
In creating an information security policy, a good first step is to audit every digital element of your health system. This means your website, staff email, scheduling services, software, and devices.
Each of these areas presents a potential danger, so they should be catalogued. In the eyes of a hacker, every digital aspect of your operation is an area to be targeted and exploited.
As a next step, you can review information security policy templates, as well as referring to healthcare cybersecurity resources such as HIMSS. But remember that your policy will need to be specifically tailored to your operation, not simply copied from a policy template.
With your IT team, you should then go through your comprehensive list of digital operations and assess potential threats and weakness points. Where are you strong? Where do you need more security?
The U.S. Department of Health and Human Services offers a checklist to help you consider the threat to your organization.
This risk assessment process should also evaluate the size and scope of potential threats. This will help you to prioritize the actions you take.
The next step is to implement controls. Using your risk assessment, develop a plan to address those dangers. This can include internal threat detection, backups for your critical data, and training for staff to prepare them to recognize and avoid hacking attempts.
Remember to compare your healthcare cybersecurity policy to relevant standards and laws, such as HIPAA regulations.
Lastly, develop a plan to communicate your ISP to employees and train them on it. Most ransomware attacks start by exploiting staff members. Prepare them to serve as your first line of defense.
Confronting the evil of hackers
It is hard to imagine that anyone would attack a hospital and endanger patients, but that is the world we live in. The threat is coming, but you can be proactive so that you’ll be ready if/when it arrives.
This means understanding your digital operation and knowing all of your potential weak points, implementing strong controls, and preparing your staff to be on alert.
Creating an effective healthcare cybersecurity policy will protect your data, your patients, and your reputation. It can also save you a great deal of time and money.
This is just one of the several healthcare policies that are critical to making your organization consistent, safe, and secure. To learn more about other essential policies, read this article, 10 policies your healthcare organization needs.
