• Sidebar: Hospitals’ Anti-Ransomware Steps

    Rich Daly Jul 28, 2016

    The top five malware focus areas for NorthShore University HealthSystem in Evanston, Ill., are:

    • Advanced authentication
    • Detection and prevention
    • Device management/asset tracking
    • Risk assessment
    • Training and education

    Specific steps include getting employees to use two-factor authentication or adaptive authentication to log on to computers.

    Tracking systems are needed to ensure computer equipment containing protected health information does not go missing. Regular use of audits and penetration testing also are key.

    Also vital to prevention is extensive training and education, including instilling awareness of phishing attempts and using fake phishing attempts to check employee responses.

    At Metro Health Hospital in Wyoming, Mich., outside computers connected to the network by employees or visitors are seen as one of the three top malware risks. Some of that risk is controlled through use of Wi-Fi network settings.

    Hospitals need to have open ports, or network jacks, in most rooms that could allow a local hacker to bypass their firewall. Metro Health protects its computers internally by requiring tough passwords and regularly updating patches on its operating system.

    To mitigate the risk from clinical equipment that runs old software, Metro Health obtains forms from the manufacturer that specify how secure each device can be made and uses those forms to implement updates. Alternatively, the system buys a support agreement from the vendor that provides anti-virus and Windows updates.

    Metro Health also ensures that adequate contracts and controls are in place to protect critical data that third parties may store on the cloud.

    Children’s Mercy Hospital sees regularly retraining employees on IT security steps as the most important anti-malware approach. This step ingrains security habits, such as clicking an encryption button for all outgoing sensitive employee information.

    Additionally, instead of relying on annual compliance reviews to check security, the hospital conducts reviews as often as quarterly.

    The multilayered security approach at Beth Israel Deaconess Medical Center includes filtering email through multiple steps, which blocks up to 99 percent of emails for various reasons.

    The hospital also has added staff to monitor the state of its network in real-time.

    Like at other hospitals, employee education and user awareness training are emphasized at Beth Israel Deaconess. The initiative, called Keep It Private, provides ongoing staff training related to the evolving threat, including the use of videos, annual training events, and more frequent educational modules.

    “We hope that all of those things add up to reducing our risk,” says Mike Yamamoto, chief information security officer.

    Rich Daly is a senior writer/editor for HFMA based in Washington, D.C.

    Interviewed for this article: Steven Smith, CIO, NorthShore University HealthSystem, Evanston, Ill.

    John Weller, chief information security officer, Metro Health Hospital, Wyoming, Mich.

    David Chou, CIO, Children’s Mercy Hospital, Kansas City, Mo.

    Mike Yamamoto, chief information security officer, Beth Israel Deaconess Medical Center, Boston.