Protecting Patient Data by Preventing Cyber Attacks

The threat of a data breach in a health care facility is daunting. Privacy is the foundation of hospitals’ information systems, 只要有一个病人的信息落入坏人之手，就会危及医疗保险可移植性和责任法案(HIPAA)的遵守，以及医疗机构的声誉. Health care facilities are particular targets for two reasons:

• Type of data stored: Health care facilities may keep a patient’s social security number, insurance and financial account data, birth date, name, billing address, and phone number, making them a valuable target for cyber attack.
• Many potential vulnerabilities: 卫生保健机构有义务提供对几个外部网络和web应用程序的访问，以便与患者保持新萄京正规网站, employees, insurers or business partners. The volume of data shared represents a risk.

It is much less costly, both from a financial and reputational point of view, 防止网络入侵，而不是按照《新萄京正规网站》(HITECH)的要求，将入侵通知个人和卫生与公众服务部。. As a result, administration must respond by preventing, 通过精心策划的网络安全计划，检测并响应网络攻击或滥用患者记录. 

What are the Risks?

保护您的业务的第一步是识别您的流程中容易受到网络攻击的部分. 

Applications and systems: 外部应用程序和系统对敏感患者数据的不当访问已经成熟. 因为管理员不能完全控制外部应用程序的安全性, facilities should perform web application security testing on a regular basis.

Software flaws: Weaknesses in software and computer systems attract hackers and intruders. 这种网络风险的结果可能从最小的恶作剧(例如创建没有负面影响的病毒)到恶意活动(窃取或更改信息). 入侵防御和检测系统可以提醒您网络攻击，并允许您实时响应. 

Malicious code (viruses, worms and Trojan horses): There are a various types of malicious code that can put your organization at risk:

• 病毒:这种类型的代码要求用户在感染您的系统之前采取行动, such as open an email attachment or go to a particular webpage.
• Worms: This code propagates systems without user intervention. They typically begin by exploiting a software flaw or weakness. 一旦受害者的电脑被感染，蠕虫将试图找到并感染其他电脑.
• 特洛伊木马:这段代码是一个软件，它声称是一个东西，但它在幕后的行为是不同的(例如, 一个声称能让你的电脑系统提速的程序，但实际上是在向远程入侵者发送机密信息).

 Implementing systems of preventing these attacks, 包括防火墙和常规的安全控制对于保护敏感数据至关重要.

Email lacking encryption: HIPAA指南要求对与医生办公室和医院的一些电子邮件通信进行加密，以保护患者信息. 由于现在大多数通信都是电子的，监测这些手段就显得特别重要.

Insider attack: 无论是现在还是以前的员工，从记账员到临床医生，都应该明白，在没有正当理由的情况下查看患者记录的后果可能是严重的惩罚，甚至是解雇. Often employees are simply curious, and only a severe policy can effectively prevent this type of data loss. Many facilities implement log monitoring, for which logs of access to sensitive patient data are regularly reviewed.

Physical loss of information: Another potential risk is that of lost or stolen laptops, which lead to missing personal information related to patients or employees.

In the event of a security breach, HITECH要求在短时间内通知有关个人和卫生与公众服务部(HHS).

Risk Management

In the case of a surprise HHS or HIPAA inspection, 设施必须证明它们符合HIPAA和HITECH中概述的所有法规和要求.

为了降低您的设施的网络风险，明智的做法是制定一个全面的风险管理计划. 风险管理解决方案利用行业标准和最佳实践来评估来自未授权访问的危害, use, disclosure, disruption, modification or destruction of your facility’s information systems. Thereafter, perform regular security risk assessments, 这两项法案将使您更好地了解您受保护的健康信息和个人可识别信息所面临的风险.

你们还应该检查你们工厂的控制措施，以确保它们足以满足法规要求. 执行此过程有助于您的组织保持遵从性，并在审计的情况下证明勤勉和遵从性的承诺. 

Consider the following when implementing risk management strategies:

• Create a formal, documented risk management plan that addresses the scope, roles, responsibilities, compliance criteria and methodology for performing cyber risk assessments. 该计划应包括组织中根据其功能所使用的所有系统的特性描述, the data stored and processed and importance to the facility.

至少每年进行一次安全风险评估，并在您的信息系统或存储系统的设施发生重大更改时进行更新, 或者当存在其他可能影响组织脆弱性的更改时.  

Selecting an ISP

In addition, 您的机构在选择互联网服务供应商(ISP)时应采取预防措施, which provides access to the internet, website hosting and other services. To select the ISP that will best reduce your cyber risks, consider the level of security, privacy and reliability it offers.

Transferring the Risk

Cybersecurity is a serious concern for all health care facilities. 新萄京正规网站您的代理，了解可用的风险管理资源和保险解决方案，如互联网和媒体责任, security and privacy liability, and identity theft insurance today.

本《新京十大正规网站》并非详尽无遗，任何讨论或意见也不应被视为法律建议. 读者应新萄京正规网站法律顾问或保险专业人士以获得适当的建议. © 2015 Zywave, Inc. All rights reserved.