In many areas of the U.S., healthcare heroes are fighting the COVID-19 pandemic on the front lines, while clinicians elsewhere are mobilizing for what still may come. Vulnerability is very real right now, and not just on the clinical side. Healthcare providers are particularly vulnerable to cyberattacks, which have increasingly struck the industry in recent weeks.
With threats on the rise due to distributed workforces and overwhelmed hospitals, it’s important to review cybersecurity best practices. By staying proactive in the face of mounting threats, physician practices can thwart hackers’ objectives and maintain the security and privacy of their patient data.
Trending: Federal Aid: Is Hazard Pay Next?
Data protection: now, then, and always
Whether during a pandemic or operating in normal circumstances, there’s a set of basic guidelines that physician practices need to follow to protect data. First, be proactive about maintaining software by enabling automatic updates on all computers and mobile devices used for anything work-related. Anti-virus and anti-malware software need to be installed on the practice’s computers and mobile technology. Windows and MacOS do include these by default, so long as they’re enabled and up-to-date. Vulnerabilities to threats will continue to reveal themselves, so it’s important to execute the necessary security patches along the way.
Regarding data access, the safest path to maintaining security is one that requires multi-factor authentication upon login. This forces employees to demonstrate two or more pieces of evidence that confirms they are who they say they are for authentication. Finally, a solid, reliable system needs to be in place for backing up all patient data.
The rapid spread of COVID-19 has dramatically changed many industries around the world, including healthcare. For many medical practices, stay-at-home or social distancing mandates required an immediate redistribution of employees to the home setting. Many healthcare providers are also performing remote care via telemedicine visits, some for the first time. These circumstances have led to a boom in the usage of personal computers, various network resources and access methods, and third-party conferencing platforms. They’ve also resulted in compromised data security for some physician’s practices.
Phishing attacks via email and text message are exploiting patients’ and healthcare providers’ sensitivities to pandemic-related communications during this difficult time. With intent to install malicious software or steal valuable personal information, hackers are disguising their correspondences as authoritative, urgent messages about the crisis. These phishing schemes are the most frequent and basic reasons why practices succumb to cyberattacks. Educate employees about suspicious emails, encouraging them to look closely at sender details and URLs, typing them into the browser as a safeguard. No one at a practice should ever open an email attachment they didn’t expect.
If employees were quickly moved to work in the home setting, it’s possible security and privacy took a back seat to operations. Employees simply may not be familiar with the necessary protections required for working in a new environment. While employee utilization of virtual private networks (VPNs) to facility network resources addresses most security concerns, Microsoft warns that hackers are seeking vulnerabilities in network devices like gateway and VPN appliances, having particular success with a ransomware campaign known as REvil (or Sodinokibi). Healthcare organizations that use VPNs should refer to guidance from the Department of Homeland Security to secure their VPN and network infrastructures.
Many physicians now relying on online video conferencing tools could inadvertently give an unauthorized person the ability to enter a patient visit. The National Institute of Standards and Technology (NIST) has recently published guidance on protecting virtual meetings from eavesdroppers. Major platforms like Zoom are rapidly addressing both security and privacy concerns through software updates and default configuration changes. Physicians practices utilizing a telemedicine vendor in response to the pandemic will want to have abusiness associate agreement in place with the conferencing platform vendor to maintain safety and privacy.
If a physician’s practice is concerned about data security and privacy on mobile devices, this technology actually has some inherent advantages over desktop access. As long as sensitive patient data is only retrieved from the cloud when needed, and never stored on the device, other apps—malicious ones included—can't access it. This is often the case with mobile apps that are basically streamlined, mobile extensions of full web-based, SaaS applications and leverage many of the same APIs. When it’s necessary or useful for mobile apps to store sensitive data on the device itself, physician practices can use built-in security mechanisms provided by the mobile OS, such as KeyChain on iOS and KeyStore on Android, to enable secure storage of encryption keys and other “secrets” that can be used to securely encrypt sensitive patient data.
As healthcare continues to weather this storm, physician practices will continue reviewing their security and privacy protocols impacted by today’s unusual circumstances. By identifying weaknesses and bolstering safety strategies in response, patients and employees can remain safe despite evolving risks.
Troy Young is the chief technology officer at AdvancedMD and has served in various leadership positions since 2000. He is passionate about leading high-performing technology teams to drive next-level business growth. Young has about 30 years of IT experience and 27 years in healthcare IT. He has been a key contributor in the creation and growth of AdvancedMD from start-up to more than 37,000 physician practices nationwide, placing emphasis on helping private physicians create more efficient practices.