It’s important for physicians to gain staff buy-in on cybersecurity, as it can affect the future of the practice and their jobs.
A whopping 83 percent of physician practices report that they have experienced some form of a cyber-attack, including phishing, hacking, and even employee theft of electronic protected health information (ePHI), according to a study from the AMA and Accenture.
Practices typically focus on technological tools and interventions to prevent these incidents. While antivirus software and firewalls do play a critical role in cybersecurity, the human element should not be overlooked, says Uday Ali Pabrai, chief executive officer of ecfirst, a cyber-defense company.
“The journey starts with knowledge acquisition,” he says. Most organizations have not done enough to improve individuals’ cyber-literacy, thus weakening practices’ readiness overall, he says.
Before your practice becomes a cyber-crime statistic, consider the following ways to strengthen your defenses:
Explain the dangers
"'Checking boxes' without thought ultimately defeats the purpose of what cybersecurity programs are about,” says Brian Yeaman, MD, a solo primary care physician in Oklahoma and health IT expert. “It’s really so much more significant in terms of protecting our patients’ privacy and protecting our practice because data breaches and their penalties are serious and severe.
Practices must convince employees that training is more than a mandatory exercise that takes up their time; it’s integral to protecting patients, the practice, and their jobs.
Even a minor security incident can cause substantial business disruption, notes Yeaman. For example, consider a scenario in which someone gets into a practice’s network with malicious intent and brings down its network or domain. The expense doesn’t end with paying an IT company to rectify the problem, he says. “It’s lost patients, lost revenue, and staff sitting around with nothing to do because without your network, you’re dead in the water.”
And it’s not unheard of for disgruntled patients to make privacy or security complaints without merit, says Kate Borten, a Massachusetts-based security and privacy consultant. “I worked with one office in which a patient angry about his bill made a privacy complaint as a means of wiggling out of financial responsibility,” she says.
Because there was a complaint, HHS investigated and therefore required the practice to provide copies of all of its policies, procedures, and evidence of staff training. “Through no fault of its own, the practice was really on the spot [to prove compliance],” Borten says. “Practices have to convey to employees that it doesn’t take much to become involved in an investigation and they need to be prepared.”
Select a security officer
Success starts at the top. Therefore, it’s crucial that practice leadership and security officials be devoted to protecting the organization from cyber-threats, says Borten.
First, practices of all sizes should recognize that they are required to have a privacy official and a security official. “I’ve seen some backsliding on compliance with this point,” Borten says.
She advises appointing practice privacy and security officers (who can be the same or separate individuals, according to HIPAA regulations) who welcome the role. Physician owners shouldn’t “automatically appoint the practice manager, for example,” Borten says. “You really want somebody who cares, who’s interested in privacy and security, and who will go out and actually seek information to understand his or her responsibilities.”
Security personnel should be provided with some work time to fulfill those responsibilities, Borten notes. Those duties include developing training content, which may be in the form of slides, paper handouts, or other media that can be shown to HHS in the case of an audit or complaint.
“It should be the officer’s responsibility to make sure that training is adequate and meets expectations-and hopefully he or she will become the eternal go-to person for questions, complaints, and education.”
Keep training short and stimulating
The frequency and content of security training are not spelled out explicitly in federal regulations, says Borten. She recommends that all employees, including physicians, receive comprehensive training upon hire and annually thereafter, with short refreshers on specific topics at least monthly. One way to carve out the time is to include some cyber-training on the agenda of existing staff meetings, she says.
To keep employees engaged, conduct the training using a variety of formats and tools. For example, hold a brief roundtable discussion about ransomware, suggests Pabrai. Or develop a handout focused on a particular area, such as how to report a potential breach of ePHI. “Identify your core topics and circle through them in different ways,” he says. “Keep trainings short, fast-paced, and relevant to current events.”
In addition to keeping training content relevant to current risks, employees must be able to connect the information to their day-to-day work, says Borten.
“Make it personal and directly related to people’s work processes and behavior,” she says. In other words, rather than regurgitating regulatory language, use training to explain what employees should do when they encounter specific situations.
She recommends practices take advantage of numerous training modules available online at little or no cost, many of which are geared toward physicians. Examples include resources from HealthIT.gov and the AMA.
Reduce internal risks
Especially in small practices, the trustworthiness of employees can be easily taken for granted. However, a 2018 survey from Accenture found that 18 percent of healthcare employees said they would be willing to sell confidential data to unauthorized individuals. Furthermore, about a quarter of those surveyed said they knew someone in their organization who had sold their login credentials or similar information.
“We’d all like to think our employees are perfect and would never do that, but the reality is they would and they will at some point in time-so you have to create an environment that protects you,” says Yeaman.
Yeaman recommends, for example, shutting down USB ports on all equipment to prevent individuals from downloading data onto a thumb drive or other device. Network activity monitors should also be set to track any aberrant patterns that could signal inappropriate activity, he adds.
While anonymous reporting of suspected data misuse or noncompliance with security policies can be challenging, it’s essential that leadership supports reporting without retaliation, says Borten.
Reporting procedures should be included in training, she says. Both the HIPAA privacy and security rules require that covered entities have a written process for discovering and reporting even suspected misuse or breach of patient information.