As virtual care shows no signs of slowing down in 2023, ensuring that patient data is secure is more important now than ever. Just this year, the HHS Office for Civil Rights has already posted 420 breaches impacting 25 million individuals, making it clear that cyber threats are not going away any time soon.  

Cybersecurity is critical for the digital health segment because these companies typically collect and store highly sensitive patient information, including medical history, health status, provision of care, and biometric data. Protected Health Information (PHI) like this is incredibly valuable to cybercriminal and ransomware syndicates, who can use it for a range of malicious purposes, such as identity theft, financial fraud, or extortion. In addition, digital health cyber attacks can lead to serious consequences with respect to patient safety, such as a misdiagnosis or incorrect treatments, which could result in serious bodily injury or even death. 

In addition, digital health companies are often subject to strict regulatory requirements, notably public domain frameworks including HIPAA under U.S. federal law, and GDPR under EU law. Failing to comply with these regulations can result in serious legal and financial consequences, including fines, lawsuits, and reputational damage. 

Beyond patient privacy and company reputation, cybersecurity continues to play an increasingly important role in determining a company's Cyber and Errors & Omissions (E&O) insurance premiums. Companies operating in the healthcare industry are facing more rigorous underwriting processes compared to prior years, and insurance companies are requiring higher levels of baseline cybersecurity structures before offering insurance coverage for new and existing clients. 

To guide digital health companies as they build and integrate cybersecurity into their risk management programs, here is a list of best practices to consider. 

1. Build and Fortify Multi-Factor Authentication Controls: As cyber attacks on MFA become more sophisticated, strengthening MFA controls is critical. MFA should be used to secure all cloud provider services and for all remote access permissions, decrease authentication periods for users (i.e. require increased frequencies of re-authentication), consider segregating privileged users, and ensure you are using a trusted MFA provider. 

2. Encrypt Your Data: Data encryption is a fundamental cyber risk management practice, especially data subject to regulatory and compliance standards. To ensure the safety of sensitive data sets, you should use strong encryption algorithms to protect data, while in transit and at rest. When choosing encryption methods, consider the strength of the algorithm, the key length, and the security of the key management system. Data encryption practices and policies should be regularly reviewed, and third party encryption tools should be properly integrated with your existing security tech stack. 

3. Update Your Software: Software updates not only provide new features and improvements, but also patch vulnerabilities and prevent security breaches. Set up automatic updates to ensure your software is always current, and test updates in a staging environment before applying them to production systems. Ensure that all software is regularly updated, including operating systems, applications, and security software.

4. Backup Your Data: Regular backups are essential for protecting against data loss due to cyber attacks, but they can also help in case of natural disasters, or hardware failures. Choose a backup solution that meets your recovery point objectives (RPO) and recovery time objectives (RTO). Additionally, test your backups frequently–at least every 6 months–to make sure they are reliable and can be restored in case of an emergency.

5. Limit Access to Your Systems: Access control is a critical component of a strong cybersecurity posture. Implement a principle of least privilege, where users are granted only the minimum access necessary to perform their job functions. Using MFA adds an extra layer of security to your login process and helps you monitor access logs for suspicious activity.
   
   
6. Monitor Your System for Suspicious Activity: Use security information and event management (SIEM) tools to monitor your systems for unusual behavior or security events. This includes monitoring network traffic, endpoint activity, and user behavior. In addition to monitoring, you should implement incident response procedures to ensure you can quickly respond to security incidents and limit the impact of a breach.

7. Review Your Data Retention Policies: Data retention policies are necessary to ensure compliance with regulatory requirements and protect sensitive data. Review your policies regularly to ensure they align with current regulations and best practices. This includes determining what data should be retained, for how long, and how it should be securely disposed of when no longer needed. By retaining data only for as long as it is necessary, you can minimize the risks associated with data breaches, maintain compliance with data protection laws, protect individuals' privacy, and lower costs of data storage. 

8. Maintain a Transfer Authorization Process:  To protect against fraudulent wire transfers, implement a transfer authorization process that requires approval from multiple parties before funds can be transferred. This can include verifying the authenticity of the request, verifying the recipient's identity, and limiting the amount of funds that can be transferred without additional approval.

These best practices are fundamental in protecting your company and data against cybercriminals. To ensure these practices are properly implemented and regularly monitored, we recommend formalizing them in a comprehensive cybersecurity strategy document and incorporating them into your broader risk management program. This strategy document should outline how you will handle security incidents that occur, and include formal policies and procedures for access control, data backup and recovery, incident response protocol, conducting audits, and employee security training.

If the above checklist seems overwhelming, the good news is that Vouch has a wealth of cybersecurity tools and compliance partners available to clients to streamline the implementation of cyber risk management best practices.

Some of the most important tools to consider adding to your cybersecurity tech stack:

• Endpoint detection and response (EDR) tools
• Intrusion detection and prevention systems (IDPS)
• Data encryption software
• Multi-factor authentication (MFA) tools
• Security information and event management (SIEM) tools
• Next-generation antivirus (NGAV) products
• Security Operations Center (SOC) 
• Vulnerability management tools

In conclusion, digital health companies must prioritize cybersecurity in order to protect sensitive patient data, comply with regulatory requirements, and maintain patient safety and trust.  Ultimately, investing in cybersecurity is an investment in the long-term success and sustainability of digital health companies. By conducting a rigorous risk management program, partnering with security experts, and utilizing various security tools, digital health companies can significantly reduce the risk of a cybersecurity incident

For more information about risk management best practices, take Vouch’s complementary Risk Assessment today.