Cybersecurity safety is patient safety

​Post-acute care facilities play a unique and important role in the healthcare ecosystem, providing comprehensive support and services to individuals who require long-term medical assistance beyond the traditional hospital stay. Unlike acute care settings, post-acute care facilities serve residents with diverse needs and provide a continuum of care, from skilled nursing and rehabilitation therapy to assisted living, memory care, and behavioral health services. We provide

However, this specialized focus comes with distinct challenges in the realm of cybersecurity. Additionally, recent staffing mandates announced by the Centers for Medicare and Medicaid Services (CMS), effective April 22, 2024, may create additional hurdles, strain resources, and complicate cybersecurity efforts. there is.

In an era where data breaches and cyber threats loom large, the importance of cybersecurity in post-acute care facilities cannot be overstated. In addition to their responsibility to protect sensitive patient information, post-acute healthcare providers must also deal with the increasing complexity of regulatory compliance and the increasing interconnectedness of healthcare systems.

Recent breaches like the one experienced by Change Healthcare highlight the urgent need for robust cybersecurity measures in post-acute care settings. These incidents not only put patient data at risk, but also the trust and reputation of healthcare organizations.

Healthcare data breaches cost the most of all industries, with an average cost of $10.93 million, a significant 53.3% increase over the past three years. Personal data, especially that of customers and employees, remains a prime target. Because breaches often involve data stored across multiple environments, detection and containment times are longer, averaging 291 days. Phishing has become the primary initial attack vector, surpassing credential leaks and cloud misconfigurations.

HICP framework

Recognizing the importance of cybersecurity in post-acute care, the Department of Health and Human Services (HHS) introduced the Healthcare Industry Cybersecurity Practices (HICP) Framework. Developed in collaboration with cybersecurity experts and healthcare professionals, the HICP framework provides comprehensive guidance and best practices specific to the healthcare sector. The core of the HICP framework is to strengthen cybersecurity resiliency and reduce cyber risks across the healthcare continuum.

The HICP framework consists of 10 key practice areas, each addressing an important aspect of cybersecurity management and risk mitigation. These practice areas serve as a blueprint for post-acute care providers to effectively assess and strengthen their cybersecurity posture. From email protection systems and endpoint security to vulnerability management and cybersecurity governance, the HICP framework provides a comprehensive roadmap for strengthening cybersecurity defenses in post-acute care settings.

1. Email protection system: Implement robust email security measures such as encryption protocols and phishing detection mechanisms to reduce the risk of email-based threats and data breaches.
2. Endpoint protection system: Deploy advanced endpoint security solutions to protect your devices and endpoints from malware, ransomware, and other malicious intrusions.
3. Access management: Establish strict access controls and authentication mechanisms to regulate user access to sensitive healthcare data and systems, thereby reducing the risk of unauthorized access and insider threats.
4. Data Protection and Loss Prevention: Implement data encryption, backup, and recovery strategies to protect sensitive patient information and reduce the impact of data breaches and loss incidents.
5. asset management: Maintain an accurate inventory of IT assets and medical equipment to ensure visibility and control of your healthcare IT infrastructure, thereby reducing the risk of unauthorized access and equipment compromise.
6. Network Management: Implement robust network security measures such as firewalls, intrusion detection systems, and network segmentation to protect against external threats and internal network vulnerabilities.
7. Vulnerability management: Conduct regular vulnerability assessments and patch management activities to identify and remediate security vulnerabilities in software applications, operating systems, and IT infrastructure components.
8. Security Operations Center and Incident Response: Establish a dedicated security operations center (SOC) and incident response team to quickly monitor, detect, and respond to cybersecurity incidents to minimize the impact of security breaches and ensure timely remediation.
9. Connected medical devices: Implement security controls and risk management protocols to protect network-connected medical equipment and Internet of Medical Things (IoMT) devices, thereby protecting patient safety and preventing potential cyber threats.
10. Cybersecurity monitoring and governance: Establish a robust cybersecurity governance framework and regulatory compliance program to ensure accountability, transparency, and continuous improvement in cybersecurity practices and risk management strategies.

In conclusion, post-acute care facilities face unique challenges when implementing cybersecurity measures. Unlike acute care settings, they may lack the financial resources to deal with high fines or defend against lawsuits resulting from data breaches. Additionally, end users in such environments may lack advanced technology and are more susceptible to phishing scams and other social engineering attacks.

Adhering to the HICP framework is therefore essential for post-acute care providers to protect patient data and ensure cybersecurity resilience. Adopting best practices and leveraging advanced security technologies can effectively mitigate cyber risks and maintain your commitment to patient safety and quality of care. Prioritizing cybersecurity in these environments is essential to delivering uninterrupted care and maintaining patient trust. Partnering with cybersecurity experts can further strengthen your defenses, ensure ongoing compliance with regulatory requirements, and ultimately protect patient safety and privacy.

To get started on your cybersecurity journey:

1. Assess your organization's alignment with HICP's top 10 practices.
2. Start a discussion with a trusted advisor to identify and address potential security gaps.

Key statistics regarding cyber threats in long-term care facilities in 2023 include:

These statistics highlight the increasingly serious threat landscape and the importance of implementing strong cybersecurity measures to protect sensitive patient information and healthcare infrastructure in post-acute care facilities. doing.

Phil Wong is the Cybersecurity Practice Director at Redapt, Inc. Kristen Berglas is the Client Director at Redapt, Inc. They can be contacted via email at kberglas@redapt.com, phone at (425) 523-6080, or on LinkedIn.

References: