Don’t be lulled into a false sense of security. Take action to protect your practice and your patients’ data against cyberattacks and data breaches.
Earlier this year, William Scalf, MD, and John Bizon, MD, had the unfortunate experience of being the first physicians known to close their practice because of a cyberattack. Hit with ransomware that encrypted their electronic health records (EHR) and demanded payment to unlock them, the co-owners of Michigan-based Brookside ENT & Hearing Services chose to retire early rather than pay the ransom to get their data back, according to media reports.
Some physicians may have a false sense of security that their practice is too small to be a target, but according to 2017 research from the American Medical Association and Accenture, 83 percent of U.S. physicians have experienced some form of a cybersecurity attack, with phishing cited by more than half (55 percent) of physicians who experienced an attack.
Phishing attacks involve hackers sending e-mails purporting to be from reputable companies with the hope that the receiver will reveal personal information, such as passwords and credit card numbers, or click on links that upload malware. A spear-phishing attack is more sophisticated in that hackers research and target specific individuals. For instance, savvy hackers might send what looks like a valid invoice from a vendor your practice regularly works with.
Although phishing e-mails are common, there are other ways hackers search for vulnerabilities. “While it is true that hackers may be looking at larger health systems, they are scanning (any open) ports and public IP addresses on the internet,” says Nick LaVerde, chief technology officer at My IT, an IT services provider based in Metairie, La. “When they find an open port, they are going to start playing with it, and if they get in and see patient data, you’re breached. They have the data at that point and can encrypt it and demand ransom.”
While some physicians wrongly think they are too small to target, others may think they don’t have enough resources to defend themselves. Worse yet, some may assume their contracted provider of IT services is handling all their cybersecurity issues. Consultants who work with small practices say there are several steps you can take to protect your business and safeguard patients’ data.
Here are eight things your office can start doing today to improve your security stance:
The first step in any risk assessment is to inventory your hardware and software. Your data is your core asset, so it is important to understand where it is in order to protect it, says Mike Owens, a consultant with Cleveland-based Eagle Consulting Partners, Inc. “Sometimes small practices have a vague sense of a few computers over here and a few over there, but if you ask them what operating system they are running, they tend not to know,” he adds. “They don’t know if their systems are patched or if the operating system is out of date and not getting security updates.” Having a simple spreadsheet with all your hardware and software assets listed is a good first step.
LaVerde says his firm sees a lot of practices that don’t enforce e-mail policies. “Staff members will put their e-mail on their iPhone because it is easy,” he says. “That person is walking around with the data on their phone, and the practice has no idea. If they lose that phone and it doesn’t have a passcode, that data is vulnerable. If nothing else, (practices) should have a written mobile device policy.”
At some small physician practices, employees share the same password for every login. But if your practice uses a cloud-based EHR, the login page is on the internet where potentially anybody could touch it, so your password strength becomes critical, Owens says.
Consultants say that having strong password policies is a signal to employees that you take security seriously. Consultant Chris Apgar, CEO of Apgar and Associates in Portland, Ore., suggests that passwords should be at least 8 to 10 characters long and contain a mix of upper- and lower-case letters, numbers and symbols. It’s also important to force employees to change their passwords regularly. He stresses that these rules should apply to logins for operating systems, EHRs and wireless networks.
Medical professionals and office staff benefit from regular training on good security and privacy practices, both to help prevent attacks and respond appropriately if something goes wrong. Employees need to know what to do if it looks like some kind of malware has been downloaded. “Don’t forward it to everyone in the office saying, ‘Gee this looks weird,’” Owens says. “People can recognize simple things like how to know whether you are on a secure internet connection or not with ‘https.’”
Managed service providers often offer penetration testing, which tests staff awareness of cybersecurity covertly by simulating phishing attacks. If employees click on the link, they are directed to training on what to look for when determining whether an email is potential malware.
Consultants commonly advise practices to put encryption on all their devices and upgrade operating system and browser software. Windows XP and Internet Explorer can still be found on work machines even though those programs are no longer maintained by Microsoft and haven’t received security updates from Microsoft for years, Apgar notes. Many practices are still running Windows 7, which Microsoft will stop offering extended support for in January 2020. “It is time for everybody to upgrade to Windows 10,” he says.
Unlike the router you use for internet and TV service at home, a commercial-grade firewall can offer internet traffic filtering and compare against blacklists of known malicious spoofed websites. “The main point is for people trying to come into your network from the outside, it is a much bigger wall,” Owens says.
Firewalls also allow network administrators to customize a practice’s security protocols regarding web browsing and e-mail communication to create a tailored experience for each user on the network.
Make sure your software is being updated on a regular basis and evaluate the physical security of your computers and office. (Criminals can steal data by breaking a window and stealing the computer, too.) If you have a file server in your office, the responsibility to have all networks buttoned up is more squarely on the shoulders of the practice.
Owens recommends applying patches and security updates at least monthly for operating systems, browsers, Adobe products and Java. That applies to software or firmware updates to medical devices, too.
For smaller practices that outsource their IT tasks to managed services providers (MSPs), it’s a big mistake to assume that the MSP is taking care of everything when it may not be. “There is this assumption the MSP is doing all this, but sometimes it is not in the contract,” Apgar says.
One of his client practices was breached, and the physician assumed that the MSP was regularly looking at firewall logs. “The MSP responded by saying, ‘If you want me to regularly look at your logs, here is the fee.’” Make it clear to both sides which services are being provided and which are not.
Above all, physician practices need to assess their vulnerabilities and discuss with those in charge of IT which tasks and services are being provided and who is responsible for what - and document it in writing.
David Raths is a freelance technology writer based in Philadelphia.