In the United States, the Department of Defence (DoD) is encouraging military medical treatment sites to protect ‘controlled unclassified data’, e.g. Patient Health Information & personally identifiable information.
The Federal Govt. has further reminded those who work in military medical treatment facilities (MTFs) how imperative it is to ensure Patient Health Information (PHI) is fully protected in these highly challenging times.
So, the Inspector General of the US Department of Defence last week sent out reminders, combining 4 reports issued through both its own office & also the US Government Accountability Office, in order to provide best practice guidance designed to protect both sensitive & personal data that has been collected from both ‘unauthorised access’ & ‘inadvertent disclosure.’
MTFs should ensure that they have measures in place to ’reduce the risk of unauthorised access to patient information, external threats that could exploit known system & network weaknesses, & internal threats to intentionally or unintentionally compromise networks & systems that contain patient information.’
Carol Gorman, the department’s Assistant Inspector General for Audit, Cybersecurity Operations, outlines in the guidance that some so-called ‘systemic’ weaknesses in systems can lead networks to being attacked.
To combat the problems that can compromise PHI, the DoD is recommending organisations implement the following ‘best practices’ immediately, if they haven’t already:
- Use multifactor authentication
- Use strong passwords – When multifactor authentication is not available, MTFs should require strong passwords, a minimum of 15 characters, including one upper case, one lower case, one number, and one special character.
- Identify and mitigate network vulnerabilities – CIOs should take steps to mitigate vulnerabilities
- Encrypt patient health information – Encrypting data on a system can reduce the risk that PHI can be compromised if security controls are breached.
- Limit access to patient health information – Access should be on a need to know basis
- Configure systems to lock automatically – Specifically, systems containing PHI should lock automatically after 15 minutes of inactivity.
- Review user activity – System admins should monitor & review activity for successful and failed logins and exfiltration attempts
While PHI usually refers to Protected Health Information – under US law, it’s ‘any information about health status, provision of healthcare, or payment for healthcare’ – for this white paper, the DoD said it considers Patient Health Information ‘any information created or obtained by a health plan or health care provider, who transmits any health information for an individual related to the past, present, or future physical or mental health or condition.’
The DoD references statistics via the US Department of Health & Human Services from the last 2 years, observing that there have been 570 healthcare breaches totalling 46 million patients.
Medical providers in the US have been hit hard in the wake of the COVID-19 pandemic.
Last week, 3 weeks after it issued a public advisory that cyber actors were targeting first-responders & medical facilities to steal sensitive information, the FBI issued ‘indicators of compromise’ & ’hashes’ to help facilities better identify COVID-19 phishing attacks.
Alongside the pandemic has come intense scrutiny around data protection, especially with consideration of surveillance technology being used by the govt. to track the spread of the Coronavirus. The DoD, like every other US Federal body, is undergoing ‘due diligence’ to ensure its sites are closely following first-class security techniques, in order to guarantee the confidentiality, integrity, and availability of their PHI.
This good guidance can be used as a template for all professionals seeking to maintain excellent cyber-security.