According to a report published this May by the Ponemon Institute, a research organization that specializes in data protection and information security, almost 90 percent of healthcare institutions have had some kind of data breach in the past two years, and 45 percent had five or more breaches. While many of these breaches were small and occured due to employee mistakes, lost or stolen devices, or third-party mishaps, half of all healthcare data breaches were the result of cybercrime.
This isn't really surprising. Medical practices are in fact rich targets for cybercriminals. Healthcare data is even more useful than credit card data to those trading in black market data because it provides more information than just names, addresses, and social security numbers. Hackers can access patients' next of kin, who to call in case of emergency, and a detailed list of health conditions. Health data also has longevity. Credit card accounts can be changed, heath data not so much.
Most medical practices meet (or make a good-faith attempt to meet) HIPAA regulations regarding encryption and handling of protected health information. If your data is breached, the Office for Civil Rights and your cyber-insurance carrier, if you have one, will want to see that you've taken due diligence to protect PHI, and if you have, OCR is not likely to fine you, and your insurance company will probably cover other associated costs
However, there is a lot more at stake than the financial costs of a breach. In addition to keeping yourself in the clear legally, you also want to protect your patients' data, your patients' hard won trust, and the reputation of your practice from the consequences of cybercrime. That may take more than the practices required by HIPAA, and sometimes even basic things are overlooked. Here are a few security practices you may have overlooked that can help protect your data from cyberattacks.
• Make sure your system updates software automatically. "It's the simple things that kill you," says Chuck Winchester, Information Technology Operations Manager for the American Academy of Family Physicians (AAFP). Software updates aren't always automatic. "One of the easiest things to overlook," he says, "is keeping antivirus and antispam and malware scanning software continuously up to date."
• Have a policy and procedure for dealing with email attachments. Employees are often easy targets for malware. "If you get an email from someone you don't know, send it to your IT department and let them determine if it's safe to open. Make sure all employees are aware of this policy," Winchester advises.
• Encrypt sensitive data. Good passwords are great, but data encryption is better. IT experts recommend that if at all possible, sensitive data should be encrypted, not just password protected.
• Stay on top of risk assessments. "Most breaches show that risk analysis wasn't complete," says Rick Hindmand, a healthcare attorney with McDonald Hopkins in Chicago, Ill. Risk assessment shouldn't be a one-time thing. Do them regularly.