AHIMA Releases 17-Point Healthcare Cybersecurity Plan

Ryan Black

The American Health Information Management Association's tips range from basics like encryption to concepts like a cybersecurity "State of the Union."

The American Health Information Management Association (AHIMA), a premier consortium of health information management professionals and organizations, released a comprehensive list of recommendations for hospital cybersecurity last week.

The 17-point plan contains a combination of common sense, self-explanatory concepts alongside some more organizational, labor-intensive actions. The simple suggestions include web filtering, system patching, encryption, mobile device management, and the use of advanced protections that go beyond basic antivirus tools.

One of the major concepts that applies to the whole healthcare organization is a full evaluation of its approach to record retention. “In the era of big data the idea of keeping ‘everything forever’ must end,” the report states. In compliance with laws, old and unnecessary emails and records should be thoroughly destroyed, since it is “not feasible, practical, or economical” to secure legacy systems and information forever.

Another key suggestion for healthcare leaders is the preparation of a “State of the Union” on an organization’s cybersecurity. Such a report should contain considerations of how a hospital’s security efforts stack up against comparable institutions; who is in charge of what aspects of cybersecurity; what efforts are ongoing to reduce the risk of attacks; and how and when the board will be notified in case a breach occurs.

A few of the tips that AHIMA provided emphasize that every connected device within a medical institution should be looked at as a potential entry point for bad actors. “Even if protected health information (PHI) is not stored, processed, or transmitted; any application and system could be compromised and later used to launch an attack against other systems on the same network must be addressed in the risk analysis and assessment,” the report states. An inventory of every information asset should be created and maintained in order to perform a comprehensive risk assessment.

It’s important for hospitals to look at potential human risks both inside and outside of the system. Internally, every employee must be educated about phishing risks, and AHIMA recommends conducting a fake phishing campaign to see who takes the bait. Business associates—especially smaller ones, which may present an elevated risk—should be evaluated for their cybersecurity acumen, and such probes should take place before any new partnerships are formed. An outside security firm, the report suggests, can be brought in to perform a full assessment.

The report underscores the main imperative outlined by the Department of Health and Human Services’ Healthcare Industry Cybersecurity Taskforce report that was released in the summer of 2017: “Information governance includes not just IT and security stakeholders, but also information stakeholders, clinical, and nonclinical leaders.” The task of securing a health system is not a small one, but failure to do so can produce catastrophic results.

The full guidelines provided by AHIMA are as follows:

  • Conduct a risk analysis of all applications and systems
  • Recognize record retention as a cybersecurity issue
  • Patch vulnerable systems
  • Deploy advanced security endpoint solutions that provide more effective protections than standard antivirus tools
  • Encrypt workstations, smartphones, tablets, laptops, backups, and portable media
  • Improve identity and access management
  • Refine web filtering (blocking bad traffic)
  • Implement Mobile Device Management (MDM)
  • Develop incident response capability
  • Monitor audit logs to selected systems
  • Leverage existing security tools like Intrusion Prevention System/Intrusion Detection System (IPS/IDS) to detect unauthorized activities
  • Evaluate business associates
  • Improve tools and conduct an internal phishing campaign
  • Hire an outside security firm to conduct technical and non-technical evaluations
  • Prepare a ‘State of the Union’ type presentation for an organization’s leaders on cybersecurity
  • Apply a ‘Defense in Depth’ Strategy
  • Detect and Prevent Intrusion