John DiMaggio

While no healthcare organization is immune to cyber-attacks, those that implement precautions can either significantly reduce their chances of attack, or at the very least, mitigate the damage in the event of an attack. Administrative defenses are a key component of cybersecurity because they cover the gap that technical defenses cannot protect.  

In fact, some common cyber-crime entry points are those that technical defenses simply can’t thwart, such as social engineering ploys and phishing expeditions.

This article will focus on administrative defenses skilled nursing facilities can employ to proactively defend against cyber-threat. Below are some of the most effective administrative safeguards:

  • Develop and implement organizational-wide security policies and procedures:
    -Conduct regular training for new hires, and continuing education training for existing personnel;
    -Manage and oversee employee compliance with policies and procedures;
    -Enforce compliance consistently, including disciplinary action for violations.
  • Review system activity and logs to identify unusual or suspect activity.
    -Conduct Regular Security Risk Analyses.
    -Routine security risk analyses will identify potential cybersecurity vulnerabilities as well as better position an organization for an audit.
    -The Security Risk Analyses should evaluate ePHI access, track security incidents, evaluate security measure effectiveness and assess new and emerging security threats.
  • Implement a risk management plan:
    -Outline a routine procedure the organization will use to identify and analyze potential security vulnerabilities;
    -Detail the security gaps identified in those routine investigations as well as in the organization’s periodic risk analyses;
    -Identify strategies to resolve those open security gaps;
    -Assign resources and projected completion dates to all open items.
  • Cultivate workforce security awareness:
    -Monitor and communicate industry security trends and vulnerabilities
    -Keep alert to current and emerging threats, and provide periodic security updates and reminders to your workforce;
    -Educate your employees on the mechanics of spam, phishing and malware;
    -Test workforce awareness by initiating your own internal phishing expeditions to attempt to solicit information from your employees;
    -Encourage employees to be vigilant, skeptical, and to adopt a “question everything” attitude.  Ensure organizational-wide clarity on the correct and timely reporting procedures of potential malicious social engineering or software threats.

Finally, limit access to ePHI. Make sure to create and implement policies and procedures that restrict ePHI access to a “need to know” basis. In other words, ensure access only be granted to persons or software programs that require the information to perform normal business operations. Additionally, enforce strong, high complexity passwords requirements. Make frequent password changes and prohibit password re-use or passwords containing personal data.

John DiMaggio is the CEO of Blue Orange Compliance.