- What is an information security policy?
- Benefits of information security policies in healthcare
- Examples of information security policies
- How to develop information security policies
In 2020, more than one third of healthcare organizations were hit by ransomware attacks. In 65% of those instances, cyber criminals were successful at encrypting hospitals’ data.
And this is only getting worse, according to the Wall Street Journal:
“A ransomware attack on a national hospital chain nearly brought Las Vegas hospitals to their knees. Another attack in Oregon abruptly shut down alerts tied to patient monitors tracking vital signs. In New York, one county’s only trauma center briefly closed to ambulances, with the nearest alternative 90 miles away.
“Multiple attacks were carried out in recent months against U.S. hospitals, suspending some surgeries, delaying medical care and costing hospitals millions of dollars.”
Creating information security for your health system or facility is of critical importance, and that starts with developing and implementing an information security policy.
What is an information security policy? It is the set of rules and guidelines that cover an organization’s digital operation, including who can access certain folders and documents, and procedures to avoid falling prey to healthcare cyberattacks.
Because this policy will cover every way in which your employees interact with technology, it will need to be uniquely suited to your organization. It isn’t enough to simply take a boilerplate healthcare IT security policy and use it as your own.
In this article, we’ll explore in depth just what an information security policy is, and we’ll look at examples of healthcare information security policies. Finally, we’ll explore the process of creating your own policies, a task that is growing only more essential.
What is an information security policy?
An information security policy (ISP) is a guidebook or manual that establishes the procedures and rules that are designed to keep all users and networks safe within an organization. It explains the standards of IT security and data protection, and it lays out the actions that will maintain those standards.
While other healthcare policies cover patient care, health and safety, and other topics, information security policies purely focus on the digital landscape of your operation.
Modern healthcare facilities and systems use deeply integrated technology throughout most of their operation, ranging from staff email accounts to secure patient data. A healthcare information security policy needs to cover all of this: secure data, systems, devices, infrastructure, data, and all users.
The purposes of an information security policy include:
- Establishing a plan around information security
- Creating documentation around security measures and user access control
- Using tools to detect the misuse of data or compromised networks or devices, and to minimize the impact
- Complying with legal and regulatory requirements, including HIPAA, NIST, GDPR, and FERPA
- Protecting patients’ private information, as well as their data including credit card numbers
- Establishing plans to respond to healthcare cybersecurity risks
These measures all help to keep your hospital safe, and to protect your patients and preserve your reputation.
Benefits of information security policies in healthcare
With so much of healthcare now existing digitally, from patient communication to scheduling to lab reports, you want your IT to run smoothly and consistently. Any problems in your operation can lead to delays or miscommunication.
There are also external threats, which pose even greater dangers. Altogether, this is a critical component of your ecosystem, and one that needs to be proactively protected. Addressing these head on are the primary benefits of information security policies.
Protect against cyberattacks
Hospitals and healthcare facilities do life or death work. Your files and data are essential to the health and wellbeing of your patients. And if you’re forced to stop operating even for an hour, it can have costly impacts on those you treat.
Hackers are well aware of this. They know that if they can compromise your systems, you are likely forced to pay them off to protect your patients. And these hackers have no concerns about the lives they could potentially damage.
In 2020, ransomware attacks cost the healthcare industry $20.8 billion in downtime, which is twice as high as in 2019.
In these attacks, hackers use phishing efforts to get an employee to unwittingly download a file that will enable the hackers to take over a computer. And once given a foothold, they spread through the system, until they can take control over your servers. At that point, hackers encrypt the servers and demand payment to give control back to you.
At the St. Joseph’s Candler health system in Savannah, Georgia, a ransomware attack was detected quickly, but it still forced the staff to switch temporarily to paper records and to manually reschedule appointments.
"The truth is that there are a lot of advancements happening in the hacker side of it, how they can get access to those systems," said Soumitra Bhuyan, assistant professor at the Edward J. Bloustein School of Planning and Public Policy at Rutgers University. "It's really scary, right? It's evil."
According to an IBM report, most organizations are far slower to detect a breach, averaging about 280 days. Some healthcare systems went an entire year not knowing that they’d been hacked.
An effective information security policy addresses this in two ways:
First, it creates best practices for operating that protect the organization against being hacked in the first place. This can include training for employees on how to recognize and avoid phishing schemes.
Second, it prepares the organization to quickly detect any attack and to respond to the threat, while protecting the operation’s critical information.
While this is the biggest benefit to an information security policy, it isn’t the only one.
Much of your operation is likely now digital, and by adopting strong IT policies, you give your staff the tools they need to be consistent in this side of operations. That benefit will extend to your patients, as consistency within the staff leads to consistency in the patient experience.
Health data is protected by HIPAA and several other laws and guidelines at the federal and state levels. These standards require you to have strong security around private patient information.
By proactively creating a strong healthcare information security policy, you are keeping yourself in compliance with those standards. This also makes the compliance process more efficient, allowing you to focus on other necessary work.
Examples of information security policies
As you consider your own IT security needs, you can start by looking at some information security policy examples from other healthcare providers.
A good first stop is the Office of the National Coordinator for Health Information Technology, which provides an information security policy template that is specifically created for hospitals.
To see what a fully developed and individualized IT security policy looks like, Queensland Health in Australia has a robust policy that is available online.
Another information security policy example is available from the UCLA health system.
Note that these policies don’t have to be extensive. They are clearly written and efficient, making them easy for employees to consume and comprehend.
How to develop information security policies
In creating an information security policy, a good first step is to capture on paper all the ways that your health system exists in a digital space. This means your website, staff email, scheduling services, software, and devices. If you already have such a list created, you can start with that.
It’s important to capture and catalog all of this information because each of these areas presents a potential danger. In the eyes of a hacker, every digital aspect of your operation is an area to be targeted and exploited.
As a next step, you can review information security policy templates, as well as referring to healthcare cybersecurity resources such as HIMSS. But remember that your policy will need to be specifically tailored to your operation, not simply copied from a policy template.
With your IT team, you should then go through your comprehensive list of your digital operation and together assess potential threats and weakness points. Where are you strong? Where do you need more security?
The U.S. Department of Health and Human Services offers a checklist to help you consider the threat to your organization.
This risk assessment process also should evaluate the size and scope of potential threats. This will help you to prioritize the actions you take.
The last step is to implement controls. Using your risk assessment, develop a plan to address those dangers. This can include internal threat detection, backups for your critical data, and training for staff to prepare them to recognize and avoid hacking attempts.
Remember to compare your healthcare cybersecurity policy to relevant standards and laws, such as HIPAA regulations.
Lastly, develop a plan to communicate to your employees this information security policy and to train them on it. Most ransomware attacks start by exploiting staff members. Prepare them to serve as your first line of defense.
Confronting the evil of hackers
It is hard to imagine that anyone would attack a hospital and endanger patients, but that is the world we live in. That threat is coming, but you can be proactive so that you’ll be ready when the danger comes.
This means understanding your digital operation and knowing all of your potential weak points, implementing strong controls, and preparing your staff to be on alert.
Creating an effective healthcare cybersecurity policy will protect your data, your patients, and your reputation. It can also save you a great deal of time and money.
This is just one of the several healthcare policies that are critical to making your organization consistent, safe, and secure. To learn more about other essential policies, read this article, 10 policies your healthcare organization needs.