Healthcare and Technology news
50.9K views | +1 today
Follow
Healthcare and Technology news
Your new post is loading...
Your new post is loading...
Scoop.it!

Challenges and methods for securing Picture Archiving and Communication Systems (PACS)

Challenges and methods for securing Picture Archiving and Communication Systems (PACS) | Healthcare and Technology news | Scoop.it

Medical data is a valuable commodity for identity theft. Despite HIPAA privacy rules being in effect for more than two decades, millions of health records, including images, have been stored on unsecured servers by healthcare provider officers across the United States. 

 

A ProPublica investigation revealed that 187 servers in the U.S. with medical records such as X-rays, MRIs, CT scans, for instance, are findable with a simple online search. One imaging system had open internet access to patients’ echocardiograms, which were minimally secured. 

 

While securing Picture Archiving and Communication Systems (PACS) can be challenging, in part, because of the need for multiple providers to access the same data, the images stored in PACS are Protected Health Information (PHI) and must be kept private in accordance to HIPAA rules. 

 

To address this issue, in September 2019 the National Institute of Standards and Technology (NIST) released new draft guidelines to secure PACS, Special Publication 1800-24C - Securing Picture Archiving and Communication Systems (PACS). 

The Challenges of Securing PACS

Over the past decade, healthcare images have shifted from hard copy to mostly digital. These digital images are easier to share, speeding up the diagnosis time.

 

Of course, the fact that healthcare images can now be uploaded, shared on personal mobile devices, such as smartphones and tablets, and stored digitally, also makes them a target for cybercriminals. 

 

PACS also interact with multiple other systems: electronic health records, regulatory registries hospital information systems, and even government, academic, and commercial archives. This creates plenty of potential security gaps for cybercriminals to lurk and steal this data. 

 

Here are the most common challenges in securing PACS:

  • Monitoring and controlling internal user accounts and identifying outliers in behavior (e.g., large number of downloads in a small period of time)
  • Controlling and monitoring access by external users
  • Enforcing least privilege and separation-of-duties policies for internal and external users
  • Ensuring data integrity of the images
  • Securing and monitoring connections to the system
  • Securing and monitoring connections to and from systems outside of the in-house system
  • Providing security, data protection, and access management without affecting productivity and system performance

 

As you can see, these are common cybersecurity challenges. The draft PACS security guidelines are adapted from the NIST Cybersecurity Framework. While the challenge of securing medical images is real, this is a framework that any HIPAA-covered entity can use to help secure their PACS.

A Security Architecture for PACS

Using commercially available products, NIST created a reference network architecture. It provides an example for healthcare providers to separate their networks into zones to decrease cross-network access and, thus, risk. 

 

The NIST SP 1800-24C guidelines are just that: guidelines. Information technology professionals need to adapt the architecture and framework guidance to their particular organization’s IT stack and security goals. 

 

To mitigate risks, the NIST practice guide’s reference architecture includes technical and process controls to implement. They are:

  • A defense-in-depth solution, including network zoning that allows for more granular control of network traffic flows and limits communications capabilities to the minimum necessary to support business function
  • Access control mechanisms that include multi-factor authentication for care providers, certificate-based authentication for imaging devices and clinical systems, and mechanisms that limit vendor remote support to medical imaging components  
  • A holistic risk management approach that includes medical device asset management, augmenting enterprise security controls and leveraging behavioral analytic tools for near real-time threat and vulnerability management in conjunction with managed security solution providers

 

NIST Cybersecurity Guidance also recommends a thorough cybersecurity risk assessment to identify areas of weakness and to help determine how to optimize your network for cybersecurity.

 

Recommended capabilities for a secure PACS environment include:

  • Role-based access control
  • Authentication
  • Network access control
  • Endpoint protection
  • Network and communication protection
  • Micro-segmentation
  • Behavioral analytics
  • Tools that use cyber threat intelligence
  • Anti-malware
  • Data security
  • Segregation of duties
  • Restoration and recoverability
  • Cloud storage

The Importance of User Training

While not included in this particular NIST publication, it is always good to remember that user training is critical to the success of any cybersecurity initiative. Many Digital Imaging and Communications in Medicine (DICOM) images are shared via mobile devices. 

 

Password protections are also important, as is understanding HIPAA compliance involving social media and basic HIPAA security procedures.

 

PACS do enable better patient outcomes, but they are a potential target for cybercriminals. Following the guidance from NIST, healthcare organizations can help ensure the continued privacy of their patients’ protected health information. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

What are the Top Healthcare Industry Challenges in 2017?

What are the Top Healthcare Industry Challenges in 2017? | Healthcare and Technology news | Scoop.it

Healthcare Industry challenges are always going to be evolving alongside the breakthroughs and innovations. In 2017, there are new healthcare industry challenges that go alongside the age-old difficulties.

For doctors, nurses and medical teams, here are 7 of the key healthcare industry challenges they are currently facing in the year ahead for 2017.

1) Retail Care offering increased access

Retail giants like CVS and Walgreens are pushing further into care delivery, continuing to put pressure on traditional providers to increase access to care.

According to Laura Jacobs, writing for Hospitals and Health Networks “The greatest challenge for most organizations will be finding the right pace for adapting to or embracing new [healthcare] payment models.”

Doctors will be required to step up their efforts to optimize the patient experience, beyond measuring patient satisfaction.

2) Behavioral healthcare

The healthcare industry is starting to recognize that Mental Health is important to the well-being of employees and consumers, according to a report from PWC.

The report notes that one out of five American adults experiences a mental illness every year. These conditions cost businesses more than $440 billion each year. Healthcare organizations and employers will look at behavioral care as ‘key to keeping costs down, productivity up and consumers healthy’ the report said.


3) Meaningful Use and Value Based Payments

Eligible providers and eligible hospitals are continuing to work on meaningful use of EHRs.

Value-based purchasing programs are solidly in place, and eligible physicians are starting to experience the penalty phase of CMS’s quality reporting and Meaningful Use initiatives. In fact, CMS revealed that more than 257,000 eligible professional providers who are not meaningful users of certified EHR technology would have their Medicare Fee Schedule cut by one percent.

Eligible physicians also need to comply with CMS’s new Value-Based Payment Modifier program, or face penalties. It’s part of Medicare’s efforts to improve healthcare, but the program adds yet more regulations physicians need to monitor.

All these changes and new reporting requirements can become overwhelming for already busy physicians, which is why the American Medical Association has repeatedly asked for relief.


4) Switching to ICD-10

The much anticipated and maligned change to ICD10 codes in 2015 led to a lot of discomfort for physicians. The increase in codes from 14,000 to 68,000 means a lot of diagnosis criteria must be re-learned.

There is a great deal of planning, re-training and new systems that go along with the upgrade in codes. For doctors, finding the time to do this proved to be a huge challenge, and still is.

5) Data Security

Patient privacy issues, including concerns about data breaches, continue to be a challenge for providers, payers, and consumers.

Providers and payers will need to be aware of the best practices for data security to avoid the type of Health Insurance Portability and Accountability Act (HIPAA) violations that can negatively impact an organization.


6) Managing Patient volume

While new payment models will are aiming to reduce acute hospital utilization, the continued expansion of Medicaid and the insured population through the public exchanges will seemingly keep demand up.

The rise of obesity and chronic disease and population aging are creating a demand for medical services like never before.

Emergency departments will continue to be overworked until efforts to decant volume through urgent care, better care management or redesigned primary care models begins to take effect..


7) Implementing Telemedicine

The idea of a doctor seeing you via a computer screen may no longer be new, but the adoption of the Telemedicine services by doctors with their own patients is still a struggle.

The Information Technology and Innovation Foundation shares a vision of how Telemedicine can reduce patient backlogs. “Imagine a world where patients in rural areas far from a nearby doctor can easily find a health care provider to consult with online from the comfort of their own homes; where doctors living in Pennsylvania can help reduce the backlog of patients waiting to see doctors in Mississippi; and where patients can connect to a doctor over the Internet for routine medical purposes with a few clicks of the mouse—like they do when ordering a book on Amazon.”

Finding a balance between in person visits and telemedicine will require doctors to adjust their approach to care. Learning to diagnose remotely also requires new skills and detailed reporting.

Of course, Healthcare Industry Challenges are nothing new. Technology and legislation will continue to change the landscape. Doctors and their medical teams must evolve their approach and focus to meet them.

 

Technical Dr. Inc.'s insight:

Contact Details :
inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

Dr. Gayathri Duraipandiayan's curator insight, May 25, 1:59 AM
This article is still relevant today. We have made some headway with the telemedicine challenge. Right now during the COVID-19 pandemic, Telemedicine has seen an unprecedented demand, https://bit.ly/2TfXl7F
Scoop.it!

80 Percent Of Patients Worry For Health Data Security

80 Percent Of Patients Worry For Health Data Security | Healthcare and Technology news | Scoop.it

Though 2015 will begin to show the U.S. health industry as a “true market” a new report indicates consumers remain concerned about medical technology and the security of their health information and data.

A new report released today at the Forbes Healthcare Summit by PwC’s Health Research Institute shows U.S. patients concerned about the digital age, according to a survey of 1,000 U.S. consumers who were interviewed. The report comes as millions more Americans are gaining health coverage under the Affordable Care Act and the $2.8 trillion U.S. health care sector undergoes major transformation.

Nearly 70 percent of those who responded say they are concerned about health data via their smart phones and 78 percent are concerned about medical data security in general, PwC’s report, linked here, shows.

Despite these concerns, however, PwC’s report indicates consumers are ready to take more charge of their health care and so-called “do-it-yourself” healthcare working with doctors and other providers who will assist them with care in the home and other remote patient-monitoring, the survey indicates.

“Established healthcare companies and new entrants are rapidly developing cost-efficient products and services tailored directly to consumers,” said Kelly Barnes, PwC partner and US health industries leader.

Consumers are ready for medical care providers other than physicians to deliver their care, which is good news for companies like Walgreen WAG -0.67% (WAG), CVS Health (CVS), Wal-Mart (WMT) and others. PwC said 75 percent of their survey respondents were open to “extenders” like pharmacists and nurse practitioners delivering their care.



No comment yet.
Scoop.it!

What to Include in Your Incident Response Plan

What to Include in Your Incident Response Plan | Healthcare and Technology news | Scoop.it

Cybersecurity data breaches have almost become a way of life. We hear about businesses impacted by security incidents and data breaches every day. 

 

As the adage goes, it’s not “IF”, but rather “WHEN” a security incident will take place at your business. 

 

It is therefore a best practice for every business to create an incident response plan. An incident response plan delivers two cybersecurity benefits to your business:

 

  1. Systematic response to incidents which helps to minimize information loss or theft and service disruption.
  2. Use of the information gained from an incident to help prevent future threats by strengthening system protections and to be better prepared for handling future incidents.

 

A breach of your information is always stressful. Don’t compound that stress by not having a plan to address a successful cyberattack. 

 

Before creating an incident response plan, you must create an incident response policy.

 

Create an Incident Response Policy

The National Institute of Standards and Technology (NIST) recommends in its Computer Security Incident Handling Guide that an organization should create a policy before building an incident response program.

This policy:

  • Defines which events will be considered incidents
  • Establishes the structure for incident response
  • Defines roles and responsibilities
  • Lists the requirements for reporting incidents

Develop your policy to include all applicable regulations and laws under which your business operates. Compliance requirements such as those associated with HIPAA and HITECH, Gramm-Leach-Bliley Act, and Sarbanes-Oxley (SOX) will drive your policy requirements. 

The 4 Phases of the NIST Incident Response Lifecycle

Once the policy has been created, NIST outlines four broad phases an incident response plan should include.

NIST identifies four phases in an incident response lifecycle:

  1. Preparation
  2. Detection and Analysis
  3. Containment, Eradication, and Recovery
  4. Post-Event Activity

 

Each of the four phases includes a number of actions. Here’s an outline of what you can include in your organization’s incident response plan.

Preparation and Prevention

“Prevention” in the context of incident response is essentially your information security strategy and the software tools used to implement your strategy. It is your layered defense against cybercriminals -- firewalls, encryption, antivirus software, data backup, user training, etc. 

 

Part of being prepared is having a complete list of your information security tools (including any portions of your IT infrastructure managed by a third-party managed service provider). 

 

Effective response is based on communication. Smartphones are an excellent way to communicate with and coordinate team members while responding to an incident.

 

It may be a good idea to have some of the information below as hard copy or on devices not connected to an organization’s network (it will be difficult to coordinate a response if, for example, you are victimized by a ransomware attack and cannot access your plan):

  • Contact information for primary and backup contacts within your organization plus relevant law enforcement and regulatory agencies that may need to be alerted
  • An incident reporting mechanism so users can report suspected incidents (phone numbers, email, online forms, or secure messaging systems)
  • Issue tracking system
  • Space to respond. Identify a permanent “war room” or temporary location where team members can centralize their response to the incident
  • Secure storage facility to keep evidence if needed

Detection and Analysis

Attacks can come from anywhere and take many forms - a denial of service attack, ransomware, email phishing, lost or stolen equipment (such as a laptop, smartphone, or authentication token), etc.

 

Once an incident is positively identified, follow defined processes to document the response (which can be helpful in showing a good faith effort to limit the impact of the breach on customer data should you end up in litigation or are investigated as the result of a breach).

 

Identify your affected networks, systems, and/or applications and determine the scope of the incident. From there, the response team can prioritize next steps from containment to further analysis of the incident. Recommendations for making analysis more effective include:

 

  • Profile networks and systems so changes are more readily detectable
  • Understand normal behavior so abnormal behavior is more easily spotted
  • Create a log retention policy
  • Perform event correlation
  • Keep all host clocks synchronized
  • Filter data to investigate the most suspicious data first
  • Run packet sniffers to collect additional data

 

These techniques should be used in conjunction with one another. Relying on a single method will be ineffective.

 

Document incidents as they are found. A logbook is one way to do so as are laptops, audio recordings, or a digital camera. 

 

Those affected by the incident need to be notified as well. For an incident that affects customers, a message on your website, email notification, or other communication will be needed. 

 

Often, breach notification procedures are driven by laws applicable to your industry, your state or your country, or a combination of these.

Containment, Eradication, and Recovery

Develop containment strategies for different incident types as containment for malware entering your network from an email will be different than for a network-based denial-of-service attack.

 

Document your strategies for incident containment so you can decide the appropriate strategy for the incident (e.g., shut down a system, disconnect it from the network, disable certain functions).

Once an incident is contained and all affected elements of the IT infrastructure have been identified the eradication and recovery process begins.

 

For larger systems, this could take months to move from high-priority to lower priority systems. Systems may be able to be restored from backup or may need to be rebuilt from scratch. As eradication and recovery proceed, steps can also be taken to tighten security measures. 

Post-Event Activity

Information security is an ongoing, iterative process. A key part of any incident response should be to learn from it:

  • Were the procedures followed? Were they effective?
  • Did we do anything that slowed the recovery process?
  • What could we have done differently?
  • Are there steps we can take to prevent a similar attack?
  • Were there indicators of the attack that we can use to prevent/detect a similar incident?
  • Do we need more resources to detect, analyze, and mitigate future events?

Apply what you learn to improve your cybersecurity defenses and response to the next incident.

Testing, Testing

Test your plan once per year. EIther working with an independent third-party or internally, create a scenario and walk your team through it.

 

This not only allows team members to understand their roles, but will also help you identify gaps or weaknesses in your plan. 

Technical Dr. Inc.'s insight:
Contact Details :

inquiry@technicaldr.com or 877-910-0004
www.technicaldr.com

No comment yet.
Scoop.it!

Top cybersecurity predictions of 2015 - ZDNet

Top cybersecurity predictions of 2015 - ZDNet | Healthcare and Technology news | Scoop.it

As noted by Websense, healthcare data is valuable. Not only are companies such as Google, Samsung and Apple tapping into the industry, but the sector itself is becoming more reliant on electronic records and data analysis. As such, data stealing campaigns targeting hospitals and health institutions are likely to increase in the coming year.



Via Paulo Félix
Vicente Pastor's curator insight, December 6, 2014 10:26 AM

I am a bit skeptic about predictions in general. Anyway, it is always a good exercise thinking about the coming trends although we do not need to wait for the "artificial" change of year since threats are continuously evolving.