Earlier this year, William Scalf, MD, and John Bizon, MD, had the unfortunate experience of being the first physicians known to close their practice because of a cyberattack. Hit with ransomware that encrypted their electronic health records (EHR) and demanded payment to unlock them, the co-owners of Michigan-based Brookside ENT & Hearing Services chose to retire early rather than pay the ransom to get their data back, according to media reports.
Some physicians may have a false sense of security that their practice is too small to be a target, but according to 2017 research from the American Medical Association and Accenture, 83 percent of U.S. physicians have experienced some form of a cybersecurity attack, with phishing cited by more than half (55 percent) of physicians who experienced an attack.
Phishing attacks involve hackers sending e-mails purporting to be from reputable companies with the hope that the receiver will reveal personal information, such as passwords and credit card numbers, or click on links that upload malware. A spear-phishing attack is more sophisticated in that hackers research and target specific individuals. For instance, savvy hackers might send what looks like a valid invoice from a vendor your practice regularly works with.
Although phishing e-mails are common, there are other ways hackers search for vulnerabilities. “While it is true that hackers may be looking at larger health systems, they are scanning (any open) ports and public IP addresses on the internet,” says Nick LaVerde, chief technology officer at My IT, an IT services provider based in Metairie, La. “When they find an open port, they are going to start playing with it, and if they get in and see patient data, you’re breached. They have the data at that point and can encrypt it and demand ransom.”
While some physicians wrongly think they are too small to target, others may think they don’t have enough resources to defend themselves. Worse yet, some may assume their contracted provider of IT services is handling all their cybersecurity issues. Consultants who work with small practices say there are several steps you can take to protect your business and safeguard patients’ data.
Here are eight things your office can start doing today to improve your security stance:
1. Inventory assets
The first step in any risk assessment is to inventory your hardware and software. Your data is your core asset, so it is important to understand where it is in order to protect it, says Mike Owens, a consultant with Cleveland-based Eagle Consulting Partners, Inc. “Sometimes small practices have a vague sense of a few computers over here and a few over there, but if you ask them what operating system they are running, they tend not to know,” he adds. “They don’t know if their systems are patched or if the operating system is out of date and not getting security updates.” Having a simple spreadsheet with all your hardware and software assets listed is a good first step.
2. Secure mobile devices
LaVerde says his firm sees a lot of practices that don’t enforce e-mail policies. “Staff members will put their e-mail on their iPhone because it is easy,” he says. “That person is walking around with the data on their phone, and the practice has no idea. If they lose that phone and it doesn’t have a passcode, that data is vulnerable. If nothing else, (practices) should have a written mobile device policy.”
3. Strengthen passwords
At some small physician practices, employees share the same password for every login. But if your practice uses a cloud-based EHR, the login page is on the internet where potentially anybody could touch it, so your password strength becomes critical, Owens says.
Consultants say that having strong password policies is a signal to employees that you take security seriously. Consultant Chris Apgar, CEO of Apgar and Associates in Portland, Ore., suggests that passwords should be at least 8 to 10 characters long and contain a mix of upper- and lower-case letters, numbers and symbols. It’s also important to force employees to change their passwords regularly. He stresses that these rules should apply to logins for operating systems, EHRs and wireless networks.