All hospitals know that they need to have some form of security plan in place to protect patients and their information. The problem is that the changing requirements and increase in breaches means that this plan has to always be evolving. Hospitals likely have goals for what they would like to change in the future to make sure they are adapting to the ever-changing threat landscape.

I recently posted about Ten Best Practices to Mitigate Cybersecurity Threats that came from recommendations by the Health and Human Services publication, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients.” That document addresses five cyber threats, with ten best practices for small to large healthcare organizations.

On October 27, 2015, Congress passed the Cybersecurity Information Sharing Act (CISA). Section 405 of CISA is specific to healthcare and charges Health and Human Services (HHS) with the responsibility of leading healthcare cybersecurity efforts, with the goal of keeping patient personal data secure.

ECRI Institute recently announced their annual “Top 10 Health Technology Hazards for 2019.” If you keep abreast of Health Information Technology (HIT) news, you already know the number one risk: hackers can exploit remote access to systems, disrupting healthcare operations.

"The consequences of an attack can be widespread and severe, making this a priority concern for all healthcare organizations," said ECRI Health Devices Program Executive Director David Jamison. "In critical situations, this could cause harm or death."

The topic of security is on the minds of most healthcare IT professionals today. Securing remote access to your hospital's network is the deadbolt that helps protect your data. Most people don't leave their backdoor wide open, or expect that little doorknob lock to be secure, so why do most hospitals do the equivalent with their networks?

I was chatting with a group of hospital CIOs recently and we were discussing network security and what makes their networks vulnerable. I was surprised by the difficulty each was having with remote access by physician office staff. It was unanimously one of the greatest concerns. While we know they have some longstanding, awesome partnerships with physician offices, there are three main vulnerabilities that have surfaced with remote network access:

1) Unknown terminations
2) Inappropriate access discipline
3) Access after termination

It is said that a heart attack is 80% preventable by eating well, exercising regularly, and keeping stress to a minimum*. While there is no official statistic yet, I would say that a cyber-attack is 95% preventable by vetting partners well, exercising caution, and keeping access points to a minimum.