6 critical actions practices must take for better cybersecurity

After more than a year at work, the Health Care Industry Cybersecurity Task Force in June issued its report on what providers must do to better safeguard patient data.

The report from the task force, established by Congress in its Cybersecurity Act of 2015, said “many respondents widely reported that their electronic health records (EHRs) placed little attention on cybersecurity. Providers also report that many device manufacturers treat security as either an afterthought or that the attention is woefully inadequate.”

Rather than accepting that scenario, physicians should see the report as a call to action, said Robert M. Tennant, MA, director of health information technology policy for the Medical Group Management Association.

Physicians should evaluate the safeguards they use to protect their EHRs against hackers, Tennant says. They should also revisit the plans they have in place to protect their data against the more mundane, but very real, threats that can disrupt their practices.

“You have to think more generally about how you, as a physician, are protecting your most important business asset: your practice data,” Tennant says. “This is a growing problem, and practices have to be vigilant and do whatever they have to do to mitigate threats and preserve business continuity.”

He noted that professional organizations and federal agencies offer detailed information for free, thereby sparing physicians for paying the often high-priced consulting fees associated with cybersecurity work.

“Most primary care physicians are in smaller offices, and they don’t have a lot of money to spend on sophisticated cybersecurity technologies. But there’s still a lot they can do and much of it is very simple,”
he adds.

Simple strategies to improve IT security

Tennant listed several simple, but critical, action items for practices to take, which the report addresses at various points:

1. Establish policies against opening emails and attachments from unknown sources and continuously educate staff about those policies.

2. Consider implementing technologies that allow staff to open suspicious emails and attachments in a contained environment segregated from other systems.

3. Ensure that operating systems and antivirus software are updated with available upgrades and patches.

4. Hire a cybersecurity firm to conduct penetration tests, a common practice in other industries, where security professionals test their clients’ computer systems and staff to find vulnerabilities that attackers could exploit.

5. Prohibit unauthorized access to patient data; enforce passcodes, automatic logoffs, access controls and mobile device policies to ensure only authorized personnel can access records.

6.Review your data recovery and business continuity plans to ensure your practice can access backup files and, thus, continue operations in the event of a cyberattack, a fire in your server room, an Internet outage, etc.