Tech & Innovation in Healthcare

Your healthcare organization’s internal network may be secure and HIPAA compliant, but if you’re looking to add remote patient monitoring (RPM) services or allow your employees to work remotely, you could be putting your network at risk.

Step into the Cybersecurity Corner to learn some of the vulner­abilities remote connections can expose and how to protect your network from harm.

Protect Patient Data and Your Network

As helpful as RPM devices are to providers monitoring their patients’ conditions in real-time and making telehealth possible, the devices also pose a security risk to a healthcare organization’s network.

“RPM relies on devices that are broadly referred to as the internet of things (IoTs). Most of these devices are not designed with security in mind. As a result, they are susceptible to vulnerabilities and malware exploitation,” says Funso Richard, CISA, CISM, CDPSE, CCSFP, information security officer, Ensemble Health Partners, in Cincinnati, Ohio. IoT devices constitute almost any device that can connect wirelessly to a network and the internet. These devices include smart speakers, smartphones, smartwatches, medical sensors, and fitness trackers.

IoT devices are so commonplace that users may not realize the internal components can just as easily be compromised. “RPM devices have chips that execute as a computer. The chips that are associated with RPMs have the same vulnerability as CPU, GPU, and TPU,” says Eddie Hearns, MA, CPMA, CPC, Approved Instructor, of OLDME CPC LLC.

As a result, RPM and telehealth devices carry several risks for healthcare organizations:

1. Data breach: Improper transport layer encryption between the device and your healthcare organization system can put data at risk.
2. Misconfiguration: An improperly configured RPM device could be used to launch an attack against any connected healthcare system.
3. Malfunctioning devices: If an RPM device malfunctions, there’s a chance the device could be altered, which may result in the device sending a wrong reading to the physician. This incorrect reading could cause the physician to misdiagnose their patient.
4. Malware: RPM and telehealth devices are prone to malware and traditional antimalware protections may not be a reliable solution, which could put patient safety at risk.

If your organization is looking to employ RPM devices, prioritizing security should be the main concern. “The equipment that’s used for telehealth must be compliant and state of the art. The same problems with technology and data security are escalated because now you are introducing the IoTs into the environment,” Hearns says.

Fortify Endpoints to Secure Your VPN

If you’re considering allowing your employees to work remotely from their home offices, then they’ll need to be able to access important information to cross items off their to-do list.

“As more users work remotely and need to connect to the internal network and systems, virtual private networks (VPNs) make this possible by providing secure connectivity,” Richard says. VPNs are incredibly important to establishing a secure external connection from an employee’s device to a healthcare organization’s internal network and data.

However, like many technologies, VPNs have their own vulnerabilities, which include:

1. VPN misconfiguration: A misconfigured VPN can allow an unauthorized connection to an organization’s internal resources, which can cause a data breach or ransomware infection.
2. Missing patches: Promptly applying software and security patches to your VPN when the patches are available helps safeguard against threat actors attempting to exploit vulnerabilities.
3. Endpoint connections: VPNs do help protect the network, but the protection doesn’t apply to the endpoint connecting to a healthcare internal system through the VPN. In other words, the VPN protection ends at the user’s laptop, tablet, or other devices. Healthcare organizations should enforce security controls on any device (endpoint) that will connect to the internal network through the VPN.

Create Complex Passwords to Safeguard Your Resources

Passwords are an essential piece of the puzzle to keeping access to protected health information (PHI) and user accounts safe from unauthorized access and disclosure. However, too many users are unaware of or are negligent of proper password policies. In fact, “80 percent of data breaches in 2021 occurred because of weak or reused passwords,” Richard says. “The stronger a password is, the better protection it affords,” he adds. A user’s password should be complex and lengthy, which makes it harder for a hacker to figure it out.

Tips for creating a secure password include:

• Do: Make your password a minimum of 12 characters with capitals, lowercase, numbers, and special characters.
• Do not: Use eight characters or less, dictionary words, trending paraphrases, pet names, or other easily guessable terms.

Add more pieces to the puzzle: A strong password is an excellent step in protecting your healthcare organization’s data, but multifactor authentication (MFA) adds greater security. Used together with the user’s password, MFA adds extra layers of protection to the sign-in process, so the user can be securely granted access to internal resources. Depending on the MFA application, the user may need to supply a password or personal identification number (PIN), a badge or smartphone, or biometric verification (fingerprint).

For example, your IT team could configure VPN connectors to request MFA before establishing a connection with internal systems. This will help ensure the correct device is making the connection while also securing the endpoint connection.

Get Everyone on the Same Page

Even if your IT team has secured RPM devices before they go home with patients, secured laptops and VPNs before your employees start their shift at home, and established a solid password policy with MFA is in place, your staff should remain vigilant to protect the healthcare organization’s internal network and data.

“The toolkit of the hackers is fairly sophisticated and constantly changing,” Hearns says. He adds that the ideal strategy for any organization is to establish a strong business continuity plan. In addition to regular backups, strong network security, and cybersecurity policies and procedures for staff to follow, a business continuity plan should include plenty of training to ensure everyone in the organization is aware of a hacker’s tricks.