Highlights industry issues, but physicians must take steps to keep their own patients’ data safe.
After more than a year at work, the Health Care Industry Cybersecurity Task Force in June issued its report on what providers must do to better safeguard patient data.
The task force, established by Congress in its Cybersecurity Act of 2015, is comprised of 21 leaders in health IT and related areas and was charged with addressing the cybersecurity challenges in healthcare today.Among its many highlights, the report cited a survey of 200 healthcare providers by research firm KLAS that said “many respondents widely reported that their electronic health records (EHRs) placed little attention on cybersecurity. Providers also report that many device manufacturers treat security as either an afterthought or that the attention is woefully inadequate.”
Rather than accepting that scenario, physicians should see the report as a call to action, said Robert M. Tennant, MA, director of health information technology policy for the Medical Group Management Association.
He said in light of the report, physicians should evaluate the safeguards they use to protect their EHRs against hackers. They should also revisit the plans they have in place to protect their data against the more mundane, but very real, threats that can disrupt their practices.
“You have to think more generally about how you, as a physician, are protecting your most important business asset: your practice data,” Tennant said. “This is a growing problem, and practices have to be vigilant and do whatever they have to do to mitigate threats and preserve business continuity.”
The 96-page report provides a snapshot of the current state of cybersecurity and runs through numerous imperatives, recommendations and action items.
Tennant acknowledged the value in the report’s call for the government to provide more resources to the healthcare industry in its efforts to shore up cybersecurity.
Still, he said from a practical standpoint physicians need to adequately address their security needs on their own.
He noted that professional organizations and federal agencies offer detailed information for free, thereby sparing physicians for paying the often high-priced consulting fees associated with cybersecurity work.
“Most primary care physicians are in smaller offices, and they don’t have a lot of money to spend on sophisticated cybersecurity technologies. But there’s still a lot they can do and much of it is very simple,” he added.
He listed several simple, but critical, action items for practices to take, which the report addresses at various points:
1. Ensure that operating systems and antivirus software are updated with available upgrades and patches.
2. Establish policies against opening emails and attachments from unknown sources and continuously educate staff about those policies.
3. Hire a cybersecurity firm to conduct penetration tests, a common practice in other industries, where security professionals test their clients’ computer systems and staff to find vulnerabilities that attackers could exploit.
4. Consider implementing technologies that allow staff to open suspicious emails and attachments in a contained environment segregated from other systems.
5. Prohibit unauthorized access to patient data; enforce passcodes, automatic logoffs, access controls and mobile device policies to ensure only authorized personnel can access records.
6. Review your data recovery and business continuity plans to ensure your practice can access backup files and, thus, continue operations in the event of a cyberattack, a fire in your server room, an Internet outage, etc.
“The two most important words you can ask are: ‘What if?’” Tennant said. “You want to ask how you back up your data so you can continue operations.”