Security experts say small practices remain vulnerable but can take basic steps to help significantly reduce risk.
The recent rash of cybercrimes that either directly targeted or impacted healthcare institutions, including May’s WannaCry ransomware attack, demonstrates that many in the medical community don’t have strong enough electronic security.
“Sometimes the small practice physicians think they won’t be targeted because they have less information, but what we’re learning is that everyone is vulnerable because health data is very valuable,” said Deven McGraw, deputy director for Health Information Privacy for the Office for Civil Rights at the U.S. Department of Health and Human Services (HHS).
Consider a statistic from the nonprofit HITRUST Alliance, a collaboration of public and private healthcare technology, privacy and information security leaders. It found that 40% of doctor offices and medical practices working with HITRUST on cybersecurity had active malware or spyware after an assessment.
HITRUST CEO Daniel Nutkis said many physician offices aren’t following even the basic security measures to prevent attacks like WannaCry. They lack up-to-date hardware and software, they fail to download security patches and they skimp on endpoint and network security technologies.
“When you have deficiencies in all these areas, you’re set up for failure,” said Will Long, CISSP, CPHIMS, vice president and chief information security officer for information systems at Children’s Health, a pediatric healthcare system in North Texas that includes Children’s Medical Center Dallas and Children’s Medical Center Plano..
Long said he sees many physician groups affiliated with his medical institution struggle in those areas because they’re, understandably, focused first on patient care and don’t have a dedicated staff member to handle IT, let alone cybersecurity.
Simple steps to combat malware
However, Long, McGraw and Nutkis concurred that physicians should start by focusing on those three areas, following best practices that actually don’t take significant resources to implement.
“We always urge practices to get all that right first and then move into other advanced things,” Long said.
Long listed several specific steps all physician offices should be doing to combat malware:
• First, use up-to-date hardware and software. “Stay mostly current, as close as you can,” he said. “You don’t have to run the newest systems, but [don’t run] the oldest system out there, either.”
• Be sure to update practice systems with patches as vendors release them, as many of those patches address vulnerabilities that hackers seek to exploit.
• Invest in adequate endpoint and network protection software as well as training for employees, who in many cases still represent the biggest security threat because of the possibility they’ll open or click on malicious email files.
“Usually getting all those basics correct is enough for the practice,” Long added.
Resources are available to aid practices with their cybersecurity strategies.
A security risk assessment tool that’s designed particular for smaller practices is available through the Office of the National Coordinator for Health Information Technology (ONC). OCR also has
Meanwhile, HITRUST has CyberAid, a new program designed to help smaller healthcare organizations (specifically physician practices with less than 75 employees) address their cybersecurity needs. The program evaluates risk and identifies solutions and processes in a package that includes installation assistance, hardware, software, monitoring services, training and support. HITRUST, which sought discounts from vendors that are passed onto users in the pricing, offers CyberAid as a bundled program at varying price points depending on the organization size. The price for an office with 10 users, which is the starting package size, costs $600 annually.
Long said he is collaborating with small physician practices affiliated with Children’s Health to bring CyberAid to those offices, which will help protect not only those practices but the entire ecosystem.
“They work very closely with us. They’re logging on to our EHR every day. They’re operating in our environment, emailing us, sending attachments, uploading documents into our EHR, so we want them to be secure,” he said.