Cybercrime is a threat to even the smallest of practices, here are six ways to prevent criminals from accessing your patients' data.
The "bad guys" are no longer limited to gangs that roam the streets with chains and backward baseball caps. These days, they may wear thick glasses and are likely to be part of an organized cybercrime group featuring a team of hackers, coders, con artists, and sophisticated networks of money launderers. And recently, they've gone after healthcare providers.
The main reason these criminals target medical practices is to gain access to credit card numbers, Social Security numbers, email addresses, bank account information, and birth dates, experts say. "With all of this information available, they can take over a patient's existing financial accounts or open new accounts and make charges," explains Robert Siciliano, CEO, IDTheftSecurity.com, Boston, Mass. "With an email address alone, these criminals can phish patients to obtain additional information."
Diana L. Burley, PhD, executive director of the Institute for Information Infrastructure Protection, a national consortium that analyzes complex cybersecurity problems, and professor of human and organizational learning, The George Washington University, Washington, D.C., says small businesses such as medical practices are prime targets because they are often less secure than their larger counterparts. This may be due to their technical defenses not being as robust and personnel being unaware of threats.
In light of this, Chris Richter, senior vice president, Global Security Services Level 3 Communications, a healthcare network service provider in Broomfield, Colo., says humans are the weakest link when it comes to cybersecurity. He points to the most recent Benchmark Study on Privacy & Security of Healthcare Data by the Ponemon Institute, which found that the health industry remains "negligent in the handling of patient information." Ponemon notes that external threats are the leading cause of security incidents specifically, and reports that healthcare organizations find dealing with data breaches challenging because there are many possible root causes. Fifty percent of healthcare organizations reported the root cause of a breach was a criminal attack, 41 percent of respondents said it was caused by a third-party snafu, and 39 percent of respondents said it was due to a stolen computing device.
So how can practices protect themselves from these thieves? Here are six tips from cybersecurity experts.
Employ Technical Controls
At minimum, an IT security framework should include deploying technical controls - which may include firewalls, desktop antivirus software, antivirus software on email servers, antivirus and anti-malware protection on employee inboxes, and content filtering for the Internet and email. "An IT team should update software as appropriate, patch all devices as often as possible, and perform vulnerability scans that can detect potential weaknesses," says Jorge Rey, chief information security officer and director of information security and compliance at Kaufman Rossin, a certified public accounting and advisory firm in Miami, Fla.
Regarding the Internet, Jordan Stivers, a healthcare and privacy attorney with the law firm Bradley Arant Boult Cummings LLP, in Nashville, Tenn., explains that a firewall protects against intrusions and threats from outside sources. A software firewall (as opposed to a hardware firewall - which usually requires technical expertise to configure) is typically more appropriate for small physician practices. Experts say a hardware firewall is a physical piece of hardware that protects a computer on the corporate network for which it is installed. Software firewalls are included with some popular operating systems and are also available from computer security vendors, including most suppliers of anti-virus software. They are installed on an individual's computer or workgroup server, and usually come with technical support and guidance on how to successfully configure it without technical expertise.
Use Strong Passwords
Don't be lazy when it comes to creating passwords and have your staff follow this rule. Do not use the same password for work and personal accounts. Strong passwords should not include personal information such as your birth date, name, family member or pet names, Social Security number, or anything else that thieves could easily acquire. If a piece of information is on a social networking site, don't use it for a password. Staff should not log into Facebook, Gmail or other personal accounts from a work computer. In addition, don't write down passwords and leave them where someone else can see them, experts say.
Gaurav Jain, vice president, Information Systems, IKS Health, New York, N.Y., advises changing passwords every 90 days. Strong passwords have eight characters or more and use a combination of letters, numbers, and symbols. If you notice anything suspicious, the first precaution to take is to reset the password.
Not all employees need access to sensitive information. As a healthcare organization, you need to think about not only protecting your practice's financial and operational data, but also any patient data that is considered protected health information (PHI) under HIPAA, Rey says. Penalties for violating HIPAA can be severe, such as fines exceeding $1 million. The more employees who have access to PHI, the greater the risk that it could be compromised. Assign user account access for your IT systems based on a least-privilege model. In other words, grant each employee access to information only on an as-needed basis. For example, a receptionist most likely does not need the same level of access as a physician.
Send Emails Securely
If it is not feasible for your practice to have encrypted email, which Stivers highly recommends, you could password protect documents containing PHI or prohibit the transmission of PHI via unsecured email, using mail or fax instead. Use spam and malware filters to help block phishing and other attacks.
Secure Mobile Devices
Many risks exist with mobile devices that store or transmit PHI, such as laptops or smartphones on which you may access work email or other information, says Stivers. “Any PHI on a mobile device should be encrypted,” she says. “Install personal firewall software on all laptops that store or access electronic PHI (ePHI) or connect to networks on which ePHI is accessible. Also install, use, and regularly update virus-protection software on all portable or remote devices that access ePHI. Password protect all mobile devices, and if feasible, implement two-factor authentication (i.e., where you have to answer security questions or another step in addition to entering a password).”
Require Employee Training
A practice can implement sophisticated technological defenses and develop robust security policies, but if employees are not trained to avoid risky behavior, their efforts will be in vain, Burley says. Common risky employee behaviors include accessing public Wi-Fi, sharing passwords, using generic thumb drives to transfer confidential information, leaving password protected files unlocked, leaving devices unattended, and failing to notify managers about lost or stolen devices.
Small businesses must prepare their personnel through cybersecurity awareness programs that not only introduce them to the threat environment, but also help them understand the risks of different decisions and motivate behavioral changes, says Burley. Employee education should span all levels and positions in the practice.
Oli Thordarson, CEO and founder, Alvaka Networks, Irvine, Calif., points out that it's important to regularly cover safe user practices. "If you set the culture that security is important, employees will behave like it is important. If you ignore the topic, they will too," he says.