Cybersecurity: How medical practices can protect patient data from hackers

Medical Economics Journal, Medical Economics July 2022, Volume 99, Issue 7

13 tips to keep your patient data safe

Picture this: You come into the office and all your electronic patient files are encrypted. When you try to access them, this is what you see: “You can’t access information unless you pay a ransom.” If you’re lucky, it might only be a few thousand dollars. Experts say “bad actors” have been known to demand hundreds of thousands of dollars or more. Without a system backup, you could face significant operational disruptions.

“The data that medical practices have is incredibly valuable to the bad guys,” says Errol Weiss, M.S., chief security officer at Health Information Sharing and Analysis Center (H-ISAC), a global, nonprofit, member-driven organization that collaborates with other entities to share vital physical and cyber threat intelligence and best practices.

What’s so valuable about patient records? The information that’s inside — names, dates of birth, addresses, financial information, and more. Hackers can sell it on the dark web (i.e., private computer networks that communicate and conduct business anonymously without divulging identifying information, such as a user’s location), open credit cards and more, says Weiss.

Evensmall practices are not exempt as targets.

“Small medical practices are low-hanging fruit for hackers because they haven’t typically tightened down their cyber environment,” says Emily Jones, practice leader and director of operations at Warren Averett Technology Group. “You’re never going to get a risk of zero, but there are measures you can put in place to protect yourself and your patients.”

1 Perform a security risk assessment. Not only is this a Health Insurance Portability and Accountability Act requirement for all covered entities, it can also help practices identify specific areas of vulnerability, says Vanessa Bisceglie, MBA, president and CEO of CareVitality.

2 Invest in staff training. Once you know your practice-specific vulnerabilities, provide targeted education. “Your employees need to be your first line of defense,” notes Jones.

The good news? Between webinars and free ezines, there are plenty of ways to educate staff on a tight budget, says Weiss. It’s the simple strategies that can be most effective, says Linda Renn, vice president at STAT Solutions, Inc.

3 Perform patch updates. Cybersecurity threats change quickly, and software can immediately become vulnerable, says Weiss. Patch updates are designed to fix security vulnerabilities and other bugs so hackers can’t hack patient records as easily. Make it a habit to check for systems updates regularly, he adds.

4 Enable multifactor authentication on all devices. Multifactor authentication requires users to provide two or more verification factors (e.g., password and answer to a security question). Why is this important? “All password resets go to your email,” says Weiss. “If the bad guys have access to your email, it’s game over for you.”

5 Create a password policy. For example, prohibit employees from using the same password for personal and work devices, says Jones. Why? If a hacker gets access to one, they have access to both.

“Hackers move laterally,” she says. “They see where you bank or where you work, for example, and then try using the same credentials.” Requiring employees to change their password every
60 or 90 days is also important. So is using a complex password of
12 characters that includes a combination of symbols, numbers and upper- and lowercase letters.

6 Use encryption. Make sure all hardware devices and emails that hold electronic patient health information are encrypted, says Bisceglie.

7 Configure your firewall correctly. A firewall is a device (either physical or virtual) that acts as a barrier to permit or deny access to your practice’s network. When configuring the firewall, you’ll need to think about internal and external access, says Jones. For example, what vendors (e.g., transcription companies, coding outsource companies, or telehealth vendors) will you permit to access your network? What websites will you permit staff to visit?

8 Separate your guest Wi-Fi and medical practice networks. “If you don’t do this, someone who knows what they’re doing can get into the practice’s network and access medical records in a matter of minutes,” says Jones.

9 Ensure role-based access to electronic health records. “Many times, vendors give broad access when the system is set up, and it’s up to a practice to really cut the access down and give staff the minimal access they need to do their role,” says Bisceglie. In the event of a breach, role-based access may help restrict the information to which hackers have access.

10 Back up your system.
“If you don’t back up your systems and check those backups, a ransomware attack can be devastating,” says Weiss.

Make sure backups are off-site and, if possible, on a separate electric grid, Renn says.

11 Consider cyber liability insurance. However, know what type of coverage you’re getting, advises Bisceglie, adding that practices should ask about coverage specifics, deductibles and required prerequisites for coverage.

12 Retain a cyber liability attorney. This should be the first person you call if you suspect your practice has been hit with a cyberattack because they can advise you on what to do next, says Renn. “If you don’t follow the right steps, the insurance company could null and void your coverage.”

Don’t just assume you can pay ransomware, says Renn. Engaging in a financial transaction with a sanctioned country, for example, could mean major civil and criminal penalties.“Contact your legal team because sanctions risks can be complex,” she says. “Your cyber liability attorney will be able to guide you in this area.”

13 Consider managed cybersecurity services. Small medical practices may not be able to afford an IT staff member to focus on cybersecurity. That’s why having someone else do it may be the best option, says Weiss. A managed cybersecurity services provider will properly secure the medical practice’s network and provide ongoing cybersecurity monitoring services. Weiss says to consider these questions when vettingproviders:

  • What does the provider do when it detects malicious activity?
  • Can the providerdetect when a breach has occurred? Can they detect when data has been lost?
  • Does the provider give recommendations on enhancing security?
  • Are they available 24/7?