When it comes to hackers, small medical practices are still at risk

Small does not equal safe from cyber danger.

Cyber criminals target healthcare organizations because their data contain patient names, birthdates, addresses, social security numbers, credit card numbers, and health insurance information. Whether the hackers use the information themselves or sell it to others on the black market, that’s all that’s needed to steal identities and commit fraud. That’s why healthcare data is more valuable even than credit card records.

Physicians in small primary care practices who think they would not be a worthwhile target for hackers should look at the U.S. Department of Health and Human Services (HHS) list of reported breaches of healthcare information.

There, among the giant health insurers, government agencies, and large hospital systems, are medical practices that found out the hard way that they, too, can be targeted: an 11-doctor cardiology practice in Knoxville, Tenn.; a solo family physician in Weston, Fla.; a solo internist in Scottsdale, Ariz.; and many more.

In fact, a practice might be targeted specifically because it is small, says Christine Marciano, a certified information privacy professional (CIPP-US) and president of Cyber Data Risk Managers, a cyber insurance broker in the United States and Australia.

“I think it’s the smaller offices that are much more vulnerable,” she says. “They’re focused on treating patients, not on (encrypting) their laptops, and making sure they have the latest security measures.”

Lee Kim, JD, CIPP-US, director of privacy and security at the Healthcare Information and Management Systems Society, says attacks on small practices were uncommon five years ago, but no longer. In fact, some hackers will test and refine their methods on small practices before going on to attack larger targets, such as healthcare systems.

She is seeing more of a new kind of attack, which isn’t after a practice’s data or patient information, but its computing power to earn digital currency. Attackers have hijacked practice servers to mine for pseudocurrencies, like Bitcoin. Users might be unaware that the reason their computers are operating so slowly is that they’re running the complex calculations to reap the currency.

“Even though you’re a small practice, the motivation to attack is still there. People who say they haven’t been targeted simply haven’t been targeted yet,” Kim says.

How to protect your data

Here are best practices to follow, according to the AMA and cyber security experts:

  1. Review current practices and policies. Protecting data is the responsibility of the practice, not the EHR provider or software designer. Identifying vulnerabilities before a hacker does is the goal. Some cyber insurance providers will conduct a safety audit for an additional fee.
  2. Encrypt and password-protect mobile devices, including laptops, tablets, and smartphones. Set policies on who has access to the devices and who can remove them from the office.
  3. Install and update anti-virus software. Keep software and operating systems up to date and patched.
  4. Create separate wi-fi networks for your practice and your patients, using different passwords for each. Unauthorized access was the leading cause of security incidents in 2015, according to an IBM report.
  5. Change passwords regularly. Enforce a workplace policy requiring strong passwords with a mixture of letters, numbers, and symbols.
  6. Limit levels of access to data. Employees should have access only to the information they need to do their jobs.
  7. Train employees. All staff should be taught to protect data and how to identify disguised attacks, such as phishing emails, which are disguised as legitimate communications, but can install malware if opened.
  8. Back up all data regularly. Backups should be kept off site and off network.