Keeping Your Medical Practice Safe From Cyber Attacks

Reading about the latest cybersecurity data breaches in the medical and medical insurance industries, it is tempting to believe that they only happen to large medical businesses like Banner Health [1] and Anthem Blue Cross [2]. Sadly this is wishful thinking. It’s worth dipping into the numbers to get a good handle on the threat, so here is our outlook on what cybersecurity professionals call the ‘threat landscape’.

The 2020 Verizon Data Breach Report [3] is a comprehensive body of research studying 157,000 recent cybersecurity incidents (3,950 were confirmed to be data breaches). The report found that medical practices accounted for a third of data breaches in 2020. They suffered from the same level [4] and sophistication of cyber attacks as much larger enterprise organizations.

Increasingly, medical practices are being targeted by cybercriminals. Practices yield the same kind of personal patient data as much larger companies, but usually with less cybersecurity protection. Medical practices have limited budgets and obviously spend less on their cybersecurity defenses, making them easy prey for a cyberattacker who knows what they are doing. 

Medical practices are a target because even though the patient list might be short, the data is just as precious, including social security numbers, addresses, driver’s licenses, healthcare records and insurance information. All of it can be used for financial crimes like fraud or identity theft, making a medical practice of any size potentially rich pickings for a cyber thief.

Threats Your Medical Practice Faces

Data breaches are very serious, expensive to remediate, and damaging to a practice’s reputation. They can also cause an enormous amount of stress and anxiety to the owners and employees of the practice. The costs associated with the legal aspects of a data breach, notifying those affected, and providing them with identity monitoring can all add up to an expensive data breach bill. 

The most damaging part of a data breach fallout is the hit to your reputation. Patients often register with a new practice following a data breach due to a lack of trust after the loss of their medical and personal data. Negative publicity and word-of-mouth can keep new patients from signing up, too.

Because patient data is regulated by the Health Insurance Portability and Accountability Act (HIPAA), a data breach can lead to your practice being investigated by the Office For Civil Rights. They oversee patient confidentiality and health information privacy complaints. A complaint from a patient can spark an investigation that could potentially lead to a HIPAA violation if the office is found to be careless with patient data.

Ransomware is another big threat to businesses. We covered this subject in-depth in a previous article, so if you are not up to speed on ransomware, please do go and read it. Ransomware usually finds its way into a medical practice attached to fake emails that contain some sort of malicious attachment. 

If a staff member opens this attachment, the ransomware infects their PC, encrypting the data on it and spreading itself throughout the local network to do the same to other machines. For cybercriminals, it is easier to encrypt your data and hold it for a ransom than it is to steal data and monetize it in some other way.

It has become a serious problem, too. Recently, a patient died from a life-threatening condition after ransomware shut down the hospital [5] she was headed to for treatment. 

More than ever, hospitals are being targeted by unscrupulous ransomware attackers who have no regard for the lives or personal information of your patients. In some cases, it has closed hospitals and medical practices for weeks following an attack. Usually, these ransomware attacks are facilitated by an employee clicking on a malicious attachment or a link they should not have clicked on - something that can happen to the best of us. 

Keeping Your Medical Practice Safe

If your medical practice is ahead of the times, you are probably using some sort of cloud-based healthcare software to manage customer records. That’s a good thing because the cloud provider will actively work to protect patient records from attackers. 

But even with a cloud provider’s security team working to secure data, it is still your responsibility to deal with cybersecurity issues in the office and ensure that staff is trained to protect patient data. With that in mind, here are Digital Hands’ top tips for keeping the patient data in your practice safe.

Update Your Hardware & Software 

When your software or hardware sends an update notification, it is often because vendors have discovered a vulnerability in their product that they need to patch. Therefore, never ignore those notifications. 

This is important because hackers can detect any out-of-date software or hardware that is connected to the internet using automated scanners. They can use those vulnerabilities to infiltrate computers. Constant updates can be annoying during a busy day, but keeping your systems properly patched with updates is a foundational cybersecurity measure. 

Make Sure Employees Are Trained 

Employee cyber awareness training is an essential component of all cybersecurity defenses. If employees are properly trained and know how to recognize potentially malicious emails or the warning signs of a cyberattack, it strengthens the security of the medical practice. 

Being that medical practices are regulated by HIPAA, there are also security protocols [6] your employees need to be trained on. It is well worth bringing in third-party expertise to help with this and train the whole team on the secure handling of patient data.

Control Access to Data 

HIPAA requires that you carefully control access to patient data and ensure that only authorized employees can access it. This means that an IT team needs to carefully control who they give access to and make sure that they regularly audit the system. They also need to proactively remove access from terminated employees. 

Luckily, this has gotten a lot easier with the adoption of cloud-based health record applications. However, you still need to stay on top of it and ensure tight access controls to patient data over the long term.

Never Use the Same Password Twice 

Humans like convenience when logging into multiple systems, but if your medical practice uses the same password across multiple systems, you are asking for serious trouble. Ignoring the fact that malicious employees who know the password can access systems they shouldn’t, if a hacker discovers the password somehow, they can access all of the systems that use that same password, too. It’s always the first thing they try because they know people reuse their passwords. 

Reusing the same password on multiple systems is a surefire way to invite a data breach. An easy way to stop this from happening is to force the systems to generate new passwords every month. This stops hackers with compromised credentials from using those credentials to access your data.

Let a Specialist Assess Risks 

It can be difficult for someone who isn’t a cybersecurity professional to properly assess cybersecurity risk. Even if you have read all the articles and followed all the guidelines, you will still miss things. It’s worthwhile to hire an independent (and objective) cybersecurity professional to conduct a thorough risk assessment of the business and give a thorough understanding of the security issues in your medical practice. 

It’s also well worth conducting a risk analysis on a regular (bi-annual) basis to stay on top of any potential vulnerabilities. If you advise patients to come in and check up on their health once or twice a year, take that same advice and check your cyber health regularly.

Use Security and Back-Up Software 

Make sure you have good security software installed on machines, including antivirus, a next-generation firewall, and anti-malware detection software. If you do not use a cloud service for patient data management, consider investing in encryption software to encrypt patient data when it is at rest. 

Also, make sure that you regularly (and securely) back up any data so that in the event of a ransomware attack, you can properly restore your data. It's the only way to avoid paying a ransom to attackers to get the data back.

Have a Data Breach Plan In Place 

The only thing that can make a bad data breach worse is being unprepared for one. Don’t wait for the worst-case scenario before putting a data breach plan in place; your medical practice’s credibility is on the line. Have a plan in place where every employee knows what to do and what the next steps are. 

A good plan should include law enforcement and regulator notification. It should also include a plan for managing the publicity (PR) and victim notification. Don’t forget to include the contact details of stakeholders like investors, practice owners, legal counsel, and third-party specialists who can come in and remediate.

Adhere To The HIPAA Regulations

Because your medical practice is covered by HIPAA regulations you are obliged to comply with the regulations governing your IT infrastructure and patient data and this is where most medical practices, especially the smaller ones, fall short. HIPAA requires you to continuously monitor your networks, IT infrastructure and cloud services 24x7x365 across all endpoints, firewalls and access points which is beyond the capability of most medical practices IT teams who do not work 24x7 and this is where Digital Hands can help. We can properly monitor all of your digital assets all of the time and remediate any potential issues before they can become a cybersecurity incident. Alerting alone is not enough, the time it takes you to respond to and remediate the alerts is hugely important and a robust response is what keeps potential threats from becoming serious incidents. 

Conclusion

Carefully following through on the above advice will undoubtedly lay a solid cybersecurity foundation for you to build upon. Now is the time to take the necessary steps and get ahead of cyber risk before a worst-case scenario can occur. 

The media is littered with stories about medical practices and healthcare organizations falling victim to cyber attackers. Ensure that you do not become one of those stories and avoid the wrath of regulators. If you need any help or just some advice, talk to the Digital Hands team. We have decades of experience working with healthcare providers to secure the health and privacy of their patients.

 

References:

1) https://www.beckershospitalreview.com/healthcare-information-technology/banner-health-suffers-year-s-largest-data-breach-3-7m-affected.html 

2)  https://en.wikipedia.org/wiki/Anthem_medical_data_breach 

3) https://enterprise.verizon.com/resources/reports/2020-data-breach-investigations-report.pdf 

4) https://www.zdnet.com/article/smbs-see-cyberattacks-that-rhyme-with-large-enterprises-due-to-cloud-shift/ 

5) https://arstechnica.com/information-technology/2020/09/patient-dies-after-ransomware-attack-reroutes-her-to-remote-hospital/ 

6) https://www.hhs.gov/hipaa/for-professionals/security/guidance/cybersecurity/index.html