Ouch – tell us what you really think, Mr. Scott! Is it true that the healthcare industry is some kind of target in a modern-day criminal enterprise? There have been plot lines in television medical dramas about the life and death impacts of a cyberattack. And we have heard a few real-life incidents about a large hospital being hit by a ransomware attack.
But that couldn’t happen to your private medical practice, could it? After all, you’re just a small- to medium-sized independent practice with an average number of patients. Certainly, you don’t have the financial wherewithal to pay a large ransom, so you are probably safe…or are you?
Mr. Clarke doesn’t appear to have a lot of sympathy for those who get hacked either. Perhaps he has good reason for such strong language, though. In March 2021, Medical Economics warned readers about the cyber war against health care practices. According to the article:
“While physicians worked to keep their practices financially afloat and dealt with COVID-19, hackers kept busy, too. From January through October of last year, there were 730 publicly disclosed security breaches with more than 22 billion records exposed, according to the cybersecurity firm Tenable. Health care made up 25% of those breaches with nearly 8 million records exposed.
Ransomware was by far the most popular attack method in 2020, making up 46% of the breaches. ‘The success that cybercriminals had in 2020 extorting sizable payouts from medical practices of all sizes ensures that ransomware will indeed remain the top cybersecurity threat in 2021,’ said Dave Martin, senior director, product management, threat response, at cybersecurity firm Open Systems.” (Medical Economics)
Simply put, today’s cybercriminals do not overlook any opportunity to wreak havoc, even with a private medical practice. Data ransoms of $50,000 to 100,000 are not uncommon. Can your practice afford that kind of a monetary hit? Probably not. This article discusses ways to keep your independent practice more cyber secure.
What Can Go Wrong In a Cybersecurity Attack on Your Private Practice?
At the very least, a cyberattack can be a giant pain in the neck. You can’t access your files from laptops, desktops or smartphones, electronic medical devices don’t function, and you lose communication with patients. Electronic Health Records (EHRs) can be compromised. Precious patient treatment time is lost while you work with computer consultants to fix the problem. Even if you do manage to get up and running again, there is a significant cost.
At its worst, however, the practice might not be able to gather a payment quickly enough to avert a serious financial meltdown. Sensitive patient records with photo identification, contact information, insurance coverage, and private medical details may be exposed – dangerous for the patient, and a potential HIPAA violation for the practice. Patient communications or data from a remote wearable device indicating a problem might not be received, leading to severe health complications. In its worst outcome, Medical Economics reported that ransomware attacks can even lead to higher mortality rates.
Steps to Take to Improve Cybersecurity at Your Independent Practice
During World War II, an often-quoted security reminder was that “loose lips sink ships,” meaning that even seemingly innocuous statements can be used to advantage by the enemy. A similar mindset needs to be used when it comes to cybersecurity at your independent practice. Make cybersecurity a top priority, think about it all the time, educate your staff about it, and participate in active efforts to protect yourself. Follow these steps to improve cybersecurity:
1. Security Basics
At a minimum, your practice computer system should have a strong firewall and antivirus software to prevent access by hackers without any effort at all. Today’s more advanced antivirus software even uses artificial intelligence to analyze which PC programs and processes are affected as soon as malicious activity is detected, and takes action to stop it.
2. Office Security Protocols
Medical Economics provided basic tips from the American Medical Association to help keep your practice safe and minimize cybersecurity risks, including:
- Protect your internet connection
- Protect Wi-Fi hotspots
- Protect your windows
- Secure Wi-Fi access
- Limit Wi-Fi access time
- Use a VPN for remote access
- Beware of your printer and copier
3. Pump Up Password Protection
Ramp up your password security protocols while you’re at it. Each password should be a minimum of eight characters long and consist of a mix of letters, numbers, and symbols. These should be changed regularly, not shared, not reused, and not posted on sticky notes attached to the computer!
4. Perform a Cyber security Assessment
Perhaps the last time everyone’s computer systems were really evaluated was when the calendar turned to 2000. Everyone feared a meltdown and took extraordinary steps throughout the data supply chain to ensure safety. Your private practice can take similar measures now to rethink your data pathways.
Take a step back, or hire a professional, to take a serious look at your cybersecurity exposure. Look at all the ways your practice sends and receives data, the devices you use, the software you employ, existing safety precautions, and vendor exposures. Have an outside firm perform a penetration test, to look for weak points in your system.
5. Email Security
An email has become a preferred method of access for hackers. With telemedicine and employees working remotely due to COVID restrictions, email remains a vital form of communication, but we still don’t pay much attention to it from a security point-of-view. According to AMA, the hacker’s strategy is to craft emails that are likely to capture attention by mentioning current events. The goal is to get the recipient to click on a link or download a file. These phishing attacks contain malicious code, which then begins to attack the computer.
Modern email spam protection tools offer significant defensive capability options that help to filter out potentially malicious emails and stop users from going to dangerous website destinations by clicking on suspicious links. In addition, the HHS and the U.S. Cybersecurity & Infrastructure Security Agency (CISA) have created resources and guides to help medical practices and other small businesses protect against ransomware and phishing at Counter Phishing Guide (PDF) and Ransomware (PDF).
6. Protect Your Electronic Health Records (EHR)
EHRs are designed to make patient information instantly and securely available to authorized users. Your electronic health record should have multiple security features built right into it. Work with your vendor to completely understand how to update your EHR security features on a regular basis. The U.S. Department of Health and Human Services (HHS) also provides resources that can strengthen cybersecurity in your private practice.
7. Have a Backup System
Many computers perform an automatic backup, or even back-up data to a cloud somewhere, but this can still be susceptible to an attack. The preferred method is to back-up data on a regular basis to a device that is not connected to your network. Don’t get lazy about performing this function, as you never know when an attack might hit.
8. Watch Picture Archiving Communication Systems (PACS) Vulnerability
Widely used to share medical images and patient data for interoperability purposes, these systems can be exploited to expose key patient data. Left unpatched, infected servers can also compromise connected clinical devices and spread malicious code throughout your office network. The AMA advises physicians to contact vendors about PACS security patches for their systems. More information about this vulnerability can be found in this Health Sector Cybersecurity Coordination Center alert (PDF).
9. Consider Cybersecurity Insurance
Many insurance companies now offer cybersecurity coverage as part of their business policies. It might help to recoup some expenses involved in repelling a cyberattack.
10. Monitor Employee Behavior
It’s not fun to think about, but cyber threats can come from both internal and external sources. Staff members have unusual access to computer systems, and an abundance of time to prepare for their attack. Be aware of all those who have access to your network. If an employee or vendor leaves, be sure all electronic ties are severed.
11. Careful IT Vendor Selection
Your vendors need to be as secure as you are. A sophisticated hacker might not just settle for one practice but might start at the IT vendor’s system and work its way down to every healthcare practice. Instead of eliciting one ransom, all the practices might have to pay a sum to get their data back. Ask vendors what cybersecurity practices they have in place.
12. Maintain Vigilance
In the cat-and-mouse game of cybersecurity, hackers and evildoers often come up with one new attack for every solution. It is imperative to remain vigilant about new forms of attack, and to execute appropriate remediation efforts when any vulnerability is discovered in your computer network, medical devices, or patient communication systems. Update all systems as soon as security patches become available.
13. Constant Education
Provide ongoing awareness education to remind your employees about the importance of cybersecurity. Talk to them about password protocols, and discuss email phishing scams, so they know to never click on any suspicious links. Make them aware of any new threats that have come to your attention.
14. Have a Backup Strategy
Despite the best of your efforts, a cybersecurity attack might still occur in your practice. In this case, the best offense is to have a backup strategy in place to enable a rapid, effective recovery. Work with your IT team to develop a system to protect patient data and ensure practice continuity. Also, be prepared to notify your patients about potential information breeches.
The U.S. Department of Health and Human Services (HHS) operates a cybersecurity website to help physicians and other healthcare providers protect computer systems from cyber threats. Medical practices of all sizes receive access to numerous industry-tested resources, products, videos, and tools. These resources are designed to raise awareness, provide vetted cybersecurity practices, drive behavioral change, and mitigate cybersecurity threats in health care.