By DON BAHAM, CISSP, CISA, MCSE
Physicians are often keenly alert to the need for strong, up-to-date cybersecurity measures. Many doctors in small and mid-size practices are extremely concerned about the possibility of cyberattacks and worry about threats to the safety of their patients’ electronic protected health information (ePHI).
This isn’t entirely surprising considering that, according to a recent survey, most physicians are likely to have already experienced a costly and disruptive cyberattack. The survey, Taking the Physician’s Pulse, was conducted by the American Medical Association and Accenture, and it asked U.S. physicians about their experiences and attitudes regarding cybersecurity.
The survey reveals areas for improvement in how physicians practice cybersecurity. For example, the cause of up to 55 percent of security issues can be traced back to the actions of employees (such as clicking on fraudulent links in emails). Certainly, a need for more cybersecurity education exists in the medical industry and resolving to make enhanced security a priority is a great goal for 2019.
The recent survey wasn’t all bad, though. It also revealed a bright spot for the future.
It showed a tendency for physicians to trust IT vendors to effectively manage cybersecurity in medical practices. This is an important sentiment because it steers physicians toward a highly effective solution against the dark world of cyber hacks. Those in the medical field will undoubtedly continue to advance in using technology to their advantage. Physicians who partner with a trusted third-party managed security provider to ensure their ePHI and networks remain secure will be better able to flourish safely in a tech-driven future.
Cyberattacks in physician offices are all too common
One of the most disturbing trends revealed in the survey was the high frequency of cyberattacks. Out of 1,300 U.S. physicians surveyed, 83 percent have already experienced a cyberattack.
The most common types of attacks include:
- 55 percent were from phishing
- 45 percent were from viruses and malware
- 37 percent were from inappropriate access (or attempts to access) of ePHI by someone inside the company.
- Other issues stemmed from hacked networks, ransomware, and breaches of ePHI.
In fact, only 17 percent of physicians said they have not experienced any type of issue or attack.
Attacks significantly disrupt operations
In the survey, physicians shared responses regarding a plethora of disruptive, costly concerns they fear they’ll experience from cyberattacks and data breaches, including:
- Healthcare providers often lose access to ePHI while under attack, which prevents them from providing necessary healthcare services.
- Compromised ePHI can negatively affect patient care.
- Appointments must be rescheduled until the issue is handled, resulting in billing losses.
- Violations of HIPAA and other data privacy regulations can be costly.
- Violations expose doctors to civil or criminal liabilities.
- Patients may become unwilling to share their information with a provider who’s experienced a data breach.
Whether these disruptions occur for two hours, two days, or two weeks, they can cause a great deal of stress and concern for physician offices.
ePHI security risks must be addressed
The need to share private data electronically will not simply go away. It’s too vital in improving the quality of patient care. Physicians believe strongly in the importance of sharing ePHI with outside entities, and up to 85 percent say it is extremely or very important.
In fact, the need to prevent cyberattacks will only grow in the future. Fifty-four percent of physicians say they’re looking to adopt telemedicine into their practice within the next couple of years. Many are considering the use of other advancements such as precision medicine, artificial intelligence, and biometric authentication.
Medical care procedures and delivery models are expanding and becoming more technology driven. It’s the same story across many industries. Businesses everywhere experience this same push into the world of online digital technologies. All too often, though, in all the rush and excitement, a critical factor is overlooked. A corresponding need for more effective cybersecurity practices grows right alongside all the other technological advancements.
Many businesses recognize outsourcing as the most beneficial way to meet their ever-growing cybersecurity challenges. Even businesses that employ their own IT staff often rely on managed service providers for the most up-to-date, efficient cybersecurity practices.
How physicians can enhance medical cybersecurity
Go back to basics. Always follow trusted cybersecurity standards. Following the Top 20 Critical Controls is a good place to start. If 20 sounds like too many, start with these: 1. Patch operating systems regularly; 2. Know what is on your network (and have a good network diagram and inventory); 3. Don’t let users have administrator rights; 4. Whitelist applications that can run on your network.
Protect Identities. Follow up-to-date standards for password creation and management, especially on systems that contain confidential information, like your electronic medical record system. You should longer be following the rule of eight-character complex passwords that change every 30 days. Instead, have users create a much longer easy-to-remember passphrase that never changes, but it also protected by app-based two-factor authentication.
Assessment. Don’t wait for trouble to start. Proactively engage the proper resources to evaluate your practice’s entire IT environment for existing issues and potential vulnerabilities.
Repair and update. Do not let those identified security gaps linger. Address the problems found in the assessment using either your own internal resources or a trusted third party as quickly as possible.
Diligent maintenance. After the issues are resolved, establish a method of managing technology and security proactively to ensure your practice experiences minimal downtime. This method can utilize a combination of internal and external resources.
Take these steps now so you can focus on practicing medicine and providing quality health care to your patients.
Don Baham, CISSP, CISA, MCSE, is president of Kraft Technology Group, an affiliate of KraftCPAs. For more information on how KTG protects organizations against BEC attacks and other cyber threats, click here, and for information on KTG’s full line of services, go online to kraftgrp.com. If you have questions about how to protect your healthcare system against cyberattacks, please contact us at KraftCPAs. We’ll be glad to help.