Medical Economics counts down the top challenges facing physicians in 2020.
It has never been such a challenging time to be a physician. Every physician, whether they own their own practice or are employed by a hospital or larger health system, must navigate a host of obstacles each and every day: Payment hassles, staffing issues, patient communication obstacles, technology burdens, long hours and burnout, and much more.
Each December, Medical Economics presents its list of the top challenges facing physicians going into the next year. This year we focused not only on the challenges, but also practical tips physicians can start using right away to make practicing easier.
Challenge 8: Cybersecurity
More than 32 million patient records were breached in the first half of 2019, and hackers were the culprit in more than half of those incidents, according to the Protenus Breach Barometer.
This threat will not go away in 2020-hackers covet the rich personal data contained in medical records. And while massive hacks of hospitals, payers, and other large corporations get the most news, even the smallest practices are targeted with impunity. More than 83 percent of physician practices report that they have experienced some form of a cyberattack, including phishing, hacking, and even employee theft of electronic protected health information, according to a 2018 study from the American Medical Association and Accenture.
One of the biggest cybersecurity mistakes a practice can make is to assume it won’t be a target because it is too small or has nothing of value, says Kevin Johnson, CEO of Secure Ideas, a Jacksonville, Fla.-based security consulting firm.
“Hackers are not going after you specifically, they are going after everybody,” Johnson says. “They target large numbers of victims, because it doesn’t take much more effort to send out millions of attacks versus a hundred, because it is all automated.”
The result is that many physicians feel helpless to defend against a hack, and just keep their fingers crossed that they won’t fall victim. But that’s the wrong mentality, cybersecurity experts say, because there are steps that practices can take to minimize their risks. They include conducting a thorough risk assessment and building a rigorous staff training program.
The best way to identify a practice’s key vulnerabilities is by conducting a baseline risk assessment. It’s mandated by HIPAA, and security experts advise conducting such an analysis each year. The analysis both helps a practice learn its vulnerabilities and mitigates financial risk if the practice does experience a breach. The risk assessment is the first thing HIPAA investigators will ask about if a breach occurs, and without one, the financial penalties can be severe, says Matthew Fisher, JD, a partner with Mirick, O’Connell, DeMallie & Lougee LLP, in Massachusetts.
Staff training program
A risk assessment can also provide data on what the practice should focus on in terms of staff training. The truth is that many breaches result from mistakes made within the practice, says Michael Yamamoto, chief information security officer for Beth Israel Deaconess Medical Center in Boston. “The human component is the most difficult to secure,” he says.
Yamamoto recommends that healthcare organizations of all sizes focus cybersecurity training around the basics of everyday work life. “Fundamentally, a lot of security comes down to people’s passwords,” he says. “If somebody gets that password, they’re in.”
Physicians must take cybersecurity training seriously and make sure they keep their knowledge up to date. To keep hackers at bay, Yamamoto recommends using passwords with at least 12 characters, and different passwords for every place a user logs in. Multi-factor authentication should be used wherever possible.
Each practice should develop a protocol that addresses how it will respond to incidents and who should-and shouldn’t-have access to protected health information. It should also include how the practice will encrypt data.
Instruct staffers not to access medical records they don’t need to perform their job. “People probably don’t realize they’re perpetuating data breaches when they enter a record that they really have no clinical reason to be in. We tell people they can’t look in their own medical records or those of family members outside of the due course of their jobs,” Fisher says.
Finally, practices must make clear to all clinicians and staff that if they click on a bad link, open a suspicious attachment, or make another security-related mistake that they will not be disciplined-and that reporting incidents is crucial. The sooner a potential breach is discovered the sooner an organization can take steps to stop or minimize the damage.
“You have to think more generally about how you, as a physician, are protecting your most important business asset: your practice data,” says Robert Tennant, director of health information technology policy for the Medical Group Management Association. “This is a growing problem, and practices have to be vigilant and do whatever they have to do to mitigate threats
6 steps to improving cybersecurity
1. Establish policies against opening emails and attachments from unknown sources and continuously educate staff about those policies.
2. Consider implementing technologies that allow staff to open suspicious emails and attachments in a contained environment segregated from other systems.
3. Ensure that operating systems and antivirus software are updated with available upgrades and patches.
4. Hire a cybersecurity firm to conduct penetration tests, a common practice in other industries, where security professionals test their clients’ computer systems and staff to find vulnerabilities that attackers could exploit.
5. Prohibit unauthorized access to patient data; enforce passcodes, automatic logoffs, access controls and mobile device policies to ensure only authorized personnel can access records.
6. Review your data recovery and business continuity plans to ensure your practice can access backup files and, thus, continue operations in the event of a cyberattack.