Commentary
Article
As cyberattacks grow more sophisticated, physician practices face mounting risks that can jeopardize patient trust, data security and financial stability.
In a recent discussion with Medical Economics, Mike O’Neill, CPHRM, CRM, SSLP, Assistant Vice President of Risk Management Operations at ISMIE, outlined the most pressing cybersecurity threats targeting health care organizations today—from phishing scams and ransomware to device vulnerabilities—and offered practical steps practices can take to safeguard patient information and their own reputations. The following transcript was edited for length, style and clarity.
Medical Economics: Why is it so important for health care organizations to mitigate their risk of cyberattacks?
Mike O’Neill: It really comes down to dollars and cents. Breaking it down, there’s the patient information, and then we have the medical practice itself and its reputation. Patient data is high dollar value because of what’s included: We’ve got protected health information (PHI), personally identifiable information (PII), patient financials, bank accounts, credit card numbers, Social Security numbers, date of birth, medical history, medical problems, surgeries, and medications. All of that has a high dollar value. When you talk about the medical clinic itself, if that information, the patient’s or employee’s information, were to be compromised, then there is the potential for financial loss, penalties with HIPAA violations, and/or a loss of trust. Think about it: Will patients want to come see you as a physician or as a practice if they can’t trust that you will protect their information and what they’re sharing with you?
To supplement what we discussed and to get additional information, we welcome you to review ISMIE's cybersecurity resource.
Also, you can find more information and resources at the Cybersecurity & Infrastructure Security Agency as well as the Health and Human Services website that also hosts a multitude of additional resources.
Medical Economics: Can you provide an overview of the potential cybersecurity risks that are relevant to practices right now?
Mike O’Neill: You can break it down into five common threats: phishing attacks, ransomware attacks, loss or theft of equipment or data, accidental or intentional data loss, and attacks against connected medical devices. Let’s go through each one of those.
Phishing attacks are when a cyber threat actor poses as a trustworthy colleague, acquaintance or organization to lure the victim—a practice employee in this case—in to providing sensitive information or network access. These lures can come in the form of an email, a text message or even a phone call. Recently, threat actors have been using AI to use voices that sound like somebody you know, but it’s not. This technique could enable the threat actors to gain access to network systems, resulting in data breaches, identity fraud or financial losses.
Next, we have ransomware attacks that involve malware that locks or encrypts the user’s data unless the user pays the hacker a ransom.
Then there’s loss or theft of equipment. For our policyholders, one of the highest volume claims that are reported is not so much theft, but loss of laptops tablets or cell phones. It’s inadvertently done, left behind in a waiting room or on an airplane, but it can happen.
The fourth one is accidental or intentional data loss. An employee might accidentally or intentionally cause a breach of the organization’s technical infrastructure. Maybe they didn’t update their computer system, maybe they shared a password. Also, think about disgruntled employees and the damage that they can do to your infrastructure. Think about skipping steps or failing to lock down devices or create an appropriate backup. Those can lead to these unintentional or intentional accidental data losses.
Finally, consider attacks against connected medical devices. Think about in an ICU where patients are really sick and they need those warnings. Those devices and their alerts need to be working as intended.
Medical Economics: Whatcan practices do to mitigate these risks?
Mike O’Neill: At ISMIE, we break it down to seven general categories and I’ll walk you through each of them.
1. Understand the basics. Safeguarding cybersecurity and anticipating evolving cyber liability risks can be a complicated and time-consuming endeavor. It’s important to be familiar with cybersecurity terminology and to use language understood by all parties. This ensures a common understanding of what these terms mean when there is an event or you’re working with your IT professionals. For example, practices that are investigating a possible cyberattack or suspected incident should avoid the term “breach.” I’m not a lawyer, but you don’t want to use that term until you know for sure that it is, in fact, a breach. Instead, use terms like incident or event.
2. Ensure that effective systems and policies are in place. Review your policies regularly and work with your IT team to make sure that your systems are updated and your policies make sense. There’s nothing worse than putting these policies in a three-ring binder, sticking them on the shelf and never going back to them. If someone like me comes in there to do an assessment, and you’re blowing the dust off of them, I know they’re not likely being put to use. These policies and procedures should be living documents that you’re regularly reviewing and making sure meet industry standards.
3. Conduct regular staff training. What kind of training are you providing your employees? What types of devices and technologies are you using? It’s critical to provide training not only when onboarding new staff, but also on an ongoing and annual basis, so that when things change, you can review them with your staff and highlight emerging threats. Another consideration is thinking about is the risk from your third-party vendors, your EHR and billing system vendors, for example.
It’s important to not only review your own practice’s procedures, but also the type of training that is being done at these outside entities that have access to your data. The bottom line is you want to encourage your staff to maintain a high index of suspicion and think twice before they click. As with any training, it’s important to document the information covered and the individuals who participated. The gold standard is to have trainees attest that they reviewed it, they understand it, and they’re willing to follow it.
4. Don’t overlook the risk of internal threats. You probably think about what’s coming in from outside your organization, but you also need to think about what we already talked about regarding the intentional and unintentional acts that can originate from within. There was a study done recently through Verizon business, and they found that 18% of attempted health care breaches were linked to internal actors. Among those internal actors who attempted breaches, Verizon found that the top reason for doing so was financial gain at 89%, so the statistics speak for themselves. You need to be cognizant of what’s happening externally and from within.
5. Surround yourself with a strong team. If your practice is a larger organization, you may have access to an IT security team. Physicians in smaller practices may wish to consult a vendor or consultant who has experience helping small practices with information privacy and security. We’ve already talked about the importance of ensuring adequate training for third party vendors, but it’s also important to review their systems and safeguards. This includes the contract terms you have with them, how they approach IT security, infrastructure, software and system updates, how they would handle a cyberattack, what is the process for backing up the system, how breaches are reported, and who is responsible for notifying impacted individuals. Consider identifying a spokesperson or media team that you can use in the event of a cyber incident, depending on the size of your organization. If you’re in a small practice, consider having your HIPAA or compliance officer serve as the leader of the incident response team.
6. Conduct a risk assessment. Your on-staff IT professionals or your consultants can help you conduct an assessment. Consider including your EHR vendor as well. The first step is identifying the current cyber risks and then working to mitigate those risks by developing strategies and implementing changes to address them.
7. Know who to call if there’s an incident or event. Having important phone numbers handy can be extremely helpful. If your system is locked down, who do you call? Knowing who you’re going to call is key. Next, do you need to call your cyber insurance provider? Don’t forget to follow your communication and media plan that could include notifying employees, patients and local authorities of the event.
Medical Economics: Any final thoughts?
Mike O’Neill:The best thing to do from a financial risk mitigation standpoint is to make sure that you have the coverages in the event of an incident or a breach. How much coverage do you have? What does it cover? Seek out and review your insurance policies to see if you have cyber coverage. If not, you might want to acquire endorsements or work with a broker, cyber team and legal professionals to identify exactly what you need.
Stay informed and empowered with Medical Economics enewsletter, delivering expert insights, financial strategies, practice management tips and technology trends — tailored for today’s physicians.
