How to develop a culture of cybersecurity

When it comes to identifying a practice’s top cybersecurity threat, look beyond the hackers and email scammers. Instead, physicians and practice administrators need only glance around the office.

Further reading: Cybersecurity finally becoming healthcare priority

Cyber criminals’ success depends on tricking busy, distracted workers into clicking on links or attachments that will enable them to download ransomware onto the user’s device, where it can infect the network and lock up all data until a ransom is paid. 

“Cyber criminals think that if they can attack your system long enough to cause you to panic, they can get you to pay almost anything to get your system back,” says Cathy Bryant, manager of product development and consulting services at Austin-based Texas Medical Liability Trust (TMLT), which offers cyber liability coverage to physicians and is the state’s largest medical malpractice carrier.

Healthcare organizations must develop and foster a culture of cybersecurity to protect against outside threats. This means making health data security a business priority. Here are some ways to create this culture among the staff:

 Appoint an employee or outsourced firm to oversee information security. 

 Conduct a comprehensive risk analysis. Identify every place where the practice stores protected health information, financial data and other sensitive information and determine how the data may be vulnerable to an attack or breach, says Daniel Klein, JD, a Dallas attorney who specializes in data security and HIPAA compliance at Kane Russell Coleman Logan PC.

Hot topic: How will health IT trends evolve in 2017?

 Craft a risk management plan. It should address how the practice will mitigate the risks that were uncovered during the risk analysis, Klein says. 

Next: Developing policies and procedures

 Develop security policies and procedures. These should address how the practice will respond to incidents; who should, and shouldn’t, have access to protected health information; and how the practice will encrypt data-for starters. These documents should be updated whenever changes occur that involve sensitive data, such as switching from a server- to a cloud-based EHR, Bryant suggests. 

 Install software updates as soon as they’re available. Software companies release patch updates when they’ve identified software vulnerabilities, Bryant says. 

 Back up all data, but don’t store it on the network. Perform regular data backups and store this information separately from the organization’s network, Klein says. The more often the data is backed up, the less data that will be lost if a breach occurs. Be sure to test the backup data regularly to make sure it can actually be accessed when it’s needed, he adds. 

Hot topic: Why are doctors still waiting for interoperability?

 Provide employees with up-to-date security awareness training.
Do employees know how to recognize spam emails?
(Employees open roughly one in every three phishing emails, according to Verizon’s 2016 Data Breach Investigations Report.) Smaller practices may want to outsource  training or rely on web-based training from a reputable vendor, Bryant says. 

 Invest in a cyber liability policy. Some medical malpractice insurance policies include coverage for a cyberattack, but it’s often inadequate for responding to an incident. Once the practice hires an attorney, notifies patients and pays for a forensics investigation, the costs can easily exceed six figures, Bryant says.