The "bad guys" are no longer limited to gangs that roam the streets with chains and backward baseball caps. These days, they may wear thick glasses and are likely to be part of an organized cybercrime group featuring a team of hackers, coders, con artists, and sophisticated networks of money launderers. And recently, they've gone after healthcare providers.
The main reason these criminals target medical practices is to gain access to credit card numbers, Social Security numbers, email addresses, bank account information, and birth dates, experts say. "With all of this information available, they can take over a patient's existing financial accounts or open new accounts and make charges," explains Robert Siciliano, CEO, IDTheftSecurity.com, Boston, Mass. "With an email address alone, these criminals can phish patients to obtain additional information."
Diana L. Burley, PhD, executive director of the Institute for Information Infrastructure Protection, a national consortium that analyzes complex cybersecurity problems, and professor of human and organizational learning, The George Washington University, Washington, D.C., says small businesses such as medical practices are prime targets because they are often less secure than their larger counterparts. This may be due to their technical defenses not being as robust and personnel being unaware of threats.
In light of this, Chris Richter, senior vice president, Global Security Services Level 3 Communications, a healthcare network service provider in Broomfield, Colo., says humans are the weakest link when it comes to cybersecurity. He points to the most recent Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute, which found that the health industry remains "negligent in the handling of patient information." Ponemon notes that external threats are the leading cause of security incidents specifically, and reports that healthcare organizations find dealing with data breaches challenging because there are many possible root causes. Fifty percent of healthcare organizations reported the root cause of a breach was a criminal attack, 41 percent of respondents said it was caused by a third-party snafu, and 39 percent of respondents said it was due to a stolen computing device.
So how can practices protect themselves from these thieves? Here are six tips from cybersecurity experts.
Employ Technical Controls
At minimum, an IT security framework should include deploying technical controls — which may include firewalls, desktop antivirus software, antivirus software on email servers, antivirus and anti-malware protection on employee inboxes, and content filtering for the Internet and email. "An IT team should update software as appropriate, patch all devices as often as possible, and perform vulnerability scans that can detect potential weaknesses," says Jorge Rey, chief information security officer and director of information security and compliance at Kaufman Rossin, a certified public accounting and advisory firm in Miami, Fla.
Regarding the Internet, Jordan Stivers, a healthcare and privacy attorney with the law firm Bradley Arant Boult Cummings LLP, in Nashville, Tenn., explains that a firewall protects against intrusions and threats from outside sources. A software firewall (as opposed to a hardware firewall — which usually requires technical expertise to configure) is typically more appropriate for small physician practices. Experts say a hardware firewall is a physical piece of hardware that protects a computer on the corporate network for which it is installed. Software firewalls are included with some popular operating systems and are also available from computer security vendors, including most suppliers of anti-virus software. They are installed on an individual's computer or workgroup server, and usually come with technical support and guidance on how to successfully configure it without technical expertise.