7 Effective Cybersecurity Tips for Rural Hospitals

Rural hospitals play a pivotal role as they serve around 57 million Americans, and they are often the only source of care for many miles.  It is crucial for these hospitals to maintain essential operations and protect patient data with effective cybersecurity measures.

In 2023, there was a 130 percent increase in ransomware attacks against the healthcare sector as this sector reported a higher number of ransomware attacks than other critical infrastructure sectors.  Rural hospitals are especially vulnerable to cyberattacks because they typically do not have the means or expertise to implement and maintain effective cybersecurity measures.  When an attack does occur, they are likely ill equipped to respond, which maximizes the damage it causes.

Within the healthcare sector, rural hospitals are the biggest target for cyberattacks.  It is critical for rural hospitals to take all actions necessary to protect their IT infrastructure from cyberattacks that could be devastating to their operations or result in a breach of patient data.  In this guide, we will discuss important cybersecurity tips that can help rural hospitals and other healthcare facilities better protect their IT infrastructure.

1.   Establish a Culture of Security

The first step is to establish a culture of security by educating and training staff as well as implementing and enforcing security policies.  Protecting your facility from cyber threats starts with your staff having a level of awareness and understanding of the threats and vulnerabilities that could affect your daily operations.  Understanding the vulnerabilities as well as the high risk faced by rural hospitals can help shed the “it will never happen to us” mindset and have your staff consistently focused cybersecurity.

Healthcare facilities must put policies in place to ensure that necessary steps are taken.  Come up with a list of basic security practices and habits that the entire staff should adopt and use checklists to ensure that these tasks are done.  Every member of the hospital staff should understand the policies and procedures in place and accept the responsibility to do their part.

Implementing the following practices can help establish a culture of security:

• Ongoing education and training for hospital staff
• Those in positions of leadership must set an example by following policies and procedures
• Core values should include responsibility and accountability for following cybersecurity measures for the entire staff

2.   Practice Good Computer Habits and Protect Mobile Devices

Every device that is connected to the network, including desktop and laptop computers, smartphones, portable storage media, and others are vulnerable to the effects of cyberattacks that target the network.  It is important for each device to be protected as well as the data it receives and transmits wirelessly. 

The following are security threats specific to mobile devices:

• Mobile devices can easily be lost or stolen.
• Mobile devices are vulnerable to electromagnetic interference from medical devices that could corrupt stored data.
• When used in public places, others may be able to see sensitive information that is displayed on the screen.
• Mobile devices do not have strong authentication and access controls. All mobile devices, including laptops and smartphones, must have password protection enabled.
• Wireless communication between the mobile devices and the network can be intercepted or eavesdropped. Wireless transmissions must be protected with encryption.

An important step is to make sure that all electronic health information on laptops and other mobile devices is encrypted.  Hospitals should also form policies about when mobile devices can or cannot be removed from the facility.  For employees who work from home, they have the same responsibility to protect patient information and follow good security practices as they do at the facility.

Good Computer Habits

In addition to protecting mobile devices, hospital staff should use good computer practices, whether working on a desktop or laptop.  Staff should be discouraged from downloading anything unnecessary and make sure they keep their software and operating systems (OS) up to date.  Maintaining good computer habits can better protect devices and electronic health records (EHRs) from cyberattacks.

Configuration Management

It is important for the software and OS to be configured to help keep the devices and system secure.  Follow these basic rules when configuring software:

• Uninstall any software that is not necessary to do essential operations.
• When installing software, do not accept default settings. Go through each option before making a decision and consult a tech professional if necessary.
• If the EHR vendor has a back door in the software to provide updates and support, secure the connection and request that it be disabled when not in use.
• Disable remote file sharing and remote printing to avoid accidentally sharing or printing files in the wrong locations.

Software Maintenance

Software used on network computers and devices must be updated regularly.  Updates from software vendors are important because they bolster security, add new features, and fix vulnerabilities.  Many of these updates from the vendor can be set to occur automatically, but it is a good idea to have someone monitor critical and urgent updates to ensure they are installed correctly.

Operating System (OS)

The operating system on each computer and device also must be updated to have the latest settings, capabilities, and information.  Check the following when updating the OS:

• Find and disable user accounts for former employees to take away their access.
• Before disposing of any devices or equipment such as laptops, external storage devices, or printers that contain stored data, make sure the device is thoroughly sanitized. Simply deleting files is not enough as deleted files can be recovered.
• Archive old data files for storage or wipe them clean from the system if they are no longer needed.
• Fully uninstall software that is not needed.
• Install apps that can report or stop the download of unapproved software on network devices.

3.   Use Firewall Protection

If your EHR system is connected to the internet, then you should protect it with a firewall.  Firewall protects against intrusions and threats from outside sources and helps prevent malicious software from entering the system. 

You can install a software firewall or use a hardware firewall that requires a device.  Hardware firewalls should be used by healthcare facilities with a Local Area Network (LAN) and installed by tech professionals.  Software firewalls can be installed more easily as many have pre-configured settings.  Many operating systems have firewall protection built in that can be activated, and there are separate software firewall options that are compatible with the most popular OSs.  Both types of software come with configuration guidance and technical support.

4.   Implement Endpoint Protection

The main way computers are attacked is with viruses that find and exploit vulnerabilities.  Any computer or software can have vulnerabilities as even the latest updates may not protect against some vulnerabilities that have not yet been detected.  Computers can also get viruses from outside sources like emails, downloads, and flash drives.  The best way to protect network computers from viruses is by implementing and maintaining endpoint protection.

5.   Control Access to Protected Health Information with Permissions and Passwords

Healthcare networks contain sensitive EHRs that must be protected.  One of the easiest ways to ensure protection of sensitive data is with strong passwords.  Using strong passwords to log into any part of the system, including devices, accounts, and software with sensitive information slows down attackers and unauthorized users.

Attackers tend to use automated methods to guess passwords, making it important to choose passwords that cannot be easily guessed.  The following are tips to create strong passwords:

• Avoid using common words, even if spelled slightly differently.
• Avoid using personal information that someone can learn such as your name or the names of people and pets.
• Make sure passwords are at least 8 characters, longer passwords are more secure.
• Include a combination of upper-case letters, lower case letters, numbers, and special characters.
• Configure systems to make users change passwords regularly.
• Activate multi-factor authentication whenever possible so users need to take an additional action after entering their password before gaining access.

Another way to control access to EHRs is to set up permissions in which certain users are assigned different levels of access and capabilities within the software.  Permissions must be set up manually by someone who has authorized access to the system. 

Permissions can be configured to allow staff in certain positions, such as doctors and nurses, to have varying levels of access to patient information.  This helps ensure that EHRs are only accessed by staff members on a “need to know” basis.

6.   Limit Access to the Network

Wireless networks make it very easy for employees anywhere within a healthcare facility or at home to access tools and information within the network.  However, this makes it important to limit access to the network both digitally and physically to protect sensitive health care information.

You can limit access to the network digitally with the following steps:

• Wireless routers can be picked up by any device within a certain distance, including in the parking lot and nearby homes. All wireless routers used by hospitals and healthcare facilities must be encrypted to protect EHRs that are required to be protected by law.
• Do not allow any devices from visitors or patients to access the network. It is impossible to vet every device that comes in for security, so it is best to not allow casual access.
• File sharing, instant messaging, and other peer-to-peer applications should be secured and only installed with explicit review and permission.

Limiting physical access to your network is also important as one of the most common ways that health care information is compromised is by devices being lost or stolen.  Laptops, handheld devices, and storage devices like flash drives and external hard drives can easily be stolen and even if these devices are protected with passwords and access control, someone can still find a way to access the information. 

Hospitals can limit physical access by keeping certain areas with devices locked and only allowing access to those who need it with physical keys.  There should also be policies in place prohibiting the removal of devices from secure areas.

7.   Plan for Potential Disasters

There is always a chance that a disaster can occur that can compromise your network and sensitive data, including cyberattacks and natural disasters like floods, fires, and storms.  Every hospital and healthcare facility must create backups of important data and have a recovery plan in place should a disaster occur.

Every hospital and healthcare facility that stores EHR data must regularly back up important data with reliable backup media.  The backup solution must accurately save all data and allow it to be restored quickly in an emergency.  Devices used to store backup data, such as discs and removeable hard drives, must be stored safely in a location where they will not be affected by the same disaster that compromises the main system.  Backup storage devices may need to be stored securely at an off-site location.  You can also consider cloud computing to store data but the cloud you use must be secure enough to protect EHRs.

Having a recovery plan in place can help hospitals and healthcare facilities quickly access backups for data and restore functionality to the system.  The plan should include steps to recover the system and information such as where and when data was backed up, how the backups can be found, and the equipment needed to restore the system.  Creating an effective disaster recovery plan can drastically limit downtime after a disaster and help prevent the loss of crucial data.  You can also work with an IT professional to create an effective disaster recovery plan.

Cybersecurity from PSM

Rural hospitals play a very important role in their communities as they are often the only healthcare provider in their area.  They are also the biggest targets for cyberattacks within the already heavily targeted healthcare sector.  It is very important for rural hospitals and all healthcare providers to follow the tips outlined above to help bolster their security and reduce the risks of cyberattacks and breaches.  However, with the high risk of rural hospitals being attacked, it also helps to work with an IT professional that specializes in cybersecurity.

PSM provides IT services and support, including cybersecurity services for healthcare facilities including hospitals and doctor’s offices.  Our professionals can evaluate your IT infrastructure to identify vulnerabilities as well as implement and maintain cybersecurity measures to keep your system protected.  We are familiar with the security requirements of hospitals and healthcare facilities and will ensure that your facility is in compliance with HIPAA rules. 

You can call PSM Partners at (312) 940-7830 for more about our cybersecurity services.