A whopping 83 percent of physician practices report that they have experienced some form of a cyber-attack, including phishing, hacking, and even employee theft of electronic protected health information (ePHI), according to a study from the AMA and Accenture.
When attempting to prevent these incidents, practices typically focus on technological tools and interventions. But while protections such as antivirus software and firewalls do play a critical role in cyber-security, the human element should not be overlooked, says Uday Ali Pabrai, MSEE, CISSP, HITRUST CCSFP, chairman and chief executive of cyber-defense company ecfirst.
“The journey starts with knowledge acquisition,” he says. Most organizations have not done enough to improve individuals’ cyber-literacy, thus weakening practices’ readiness overall, he says.
Before your practice becomes a cyber-crime statistic, consider the following ways to strengthen your team’s defenses:
1 Explain the dangers
“‘Checking boxes’ without thought ultimately defeats the purpose of what cybers-ecurity programs are about,” says Brian Yeaman, MD, a solo primary care physician in Oklahoma and health IT expert. “It’s really so much more significant in terms of protecting our patients’ privacy and protecting our practice because data breaches and their penalties are serious and severe.”
Practices must impress upon employees that training is more than a mandatory exercise that takes up their time; it’s integral to protecting their patients, the practice, and even their jobs.
Even a minor security incident can cause substantial business disruption, notes Yeaman. For example, consider a scenario in which someone gets into a practice’s network with malicious intent and brings down its network or domain. The expense doesn’t end with paying an IT company to rectify the problem, he says. “It’s lost patients, lost revenue, and staff sitting around with nothing to do because without your network, you’re dead in the water.”
And it’s not unheard of for disgruntled patients to make privacy or security complaints without merit, says Kate Borten, CISSP, CISM, a Massachusetts-based security and privacy consultant. “I worked with one office in which a patient angry about his bill made a privacy complaint as a means of wiggling out of financial responsibility,” she says.
Because there was a complaint, HHS investigated and therefore required the practice to provide copies of all of its policies, procedures, and evidence of staff training. “Through no fault of its own, the practice was really on the spot [to prove compliance],” Borten says. “Practices have to convey to employees that it doesn’t take much to become involved in an investigation and they need to be prepared.”
2 Select a security officer
Success starts at the top. Therefore, it’s crucial that practice leadership and security officials be devoted to protecting the organization from cyber-threats, says Borten.
First, practices of all sizes should recognize that they are required to have a privacy official and a security official. “I’ve seen some backsliding on compliance with this point,” Borten says.
She advises appointing practice privacy and security officers (who can be the same or separate individuals, according to HIPAA regulations) who welcome the role. Physician owners shouldn’t “just automatically appoint the practice manager, for example,” Borten says. “You really want somebody who cares, who will go out and actually seek information to understand his or her responsibilities.”
Security personnel should be provided with some work time to fulfill those responsibilities, Borten notes. Those duties include developing training content, which may be in the form of slides, paper handouts, or other media that can be shown to HHS in the case of an audit or complaint.
“It should be the officer’s responsibility to make sure that training is adequate and meets [patients’ and regulators’] expectations—and hopefully he or she will become the eternal go-to person for questions, complaints, and education.”
3 Make training stimulating
The frequency and content of security training are not spelled out explicitly in federal regulations, says Borten. She recommends that all employees, including physicians, receive comprehensive training upon hire and annually thereafter, with short refreshers on specific topics at least monthly. One way to carve out the time is to include some cyber-training on the agenda of existing staff meetings, she says.
To keep employees engaged, conduct the training using a variety of formats. For example, hold a brief roundtable discussion about ransomware, suggests Pabrai. Or develop a handout focused on a particular area, such as how to report a potential breach of ePHI. “Keep trainings short, fast-paced, and relevant to current events,” he says.
In addition to keeping training content relevant to current risks, employees must be able to connect the information to their day-to-day work, says Borten.
“Make it personal and directly related to people’s work processes and behavior,” she says. In other words, rather than regurgitating regulatory language, use training to explain what employees should do when they encounter specific situations.
She also recommends practices take advantage of the numerous training modules available online at little or no cost, many of which are geared toward physicians.
4 Reduce internal risks
Especially in small practices, the trustworthiness of employees can be easily taken for granted. However, a 2018 survey from Accenture found that 18 percent of healthcare employees said they would be willing to sell confidential data to unauthorized individuals. Furthermore, about a quarter of those surveyed said they knew someone in their organization who had sold their login credentials or similar information.
“We’d all like to think our employees are perfect and would never do that, but the reality is they would and they will at some point in time—so you have to create an environment that protects you,” says Yeaman.
Yeaman recommends, for example, shutting down USB ports on all equipment to prevent individuals from downloading data onto a thumb drive or other device. Network activity monitors should also be set to track any aberrant patterns.
And while anonymous reporting of suspected data misuse or noncompliance with security policies can be challenging in a small practice, it’s essential that leadership try its best to support reporting without retaliation, says Borten. What’s more, she says, HIPAA requires written processes for discovering and reporting suspected misuse or breach of patient information. For that reason, reporting procedures should be included in training, she adds.