How ambulatory care practices can reduce cybersecurity risk

By making strategic yet affordable investments and undertaking specific basic measures, smaller practices can make great strides to strengthen their defenses.

When it comes to cybercrime, the healthcare sector has one of the biggest targets on its back. Due to high value of patient data on the dark web, growth in connected devices, lack of resources within practices focused on cybersecurity, and distractions associated with the COVID-19 pandemic, healthcare organizations have become more vulnerable to costly, damaging cyberattacks.

Small- and mid-sized ambulatory care practices arguably face the most challenges, given their limited staff and capacity, full patient appointment schedules, and even financial limitations. Conversely, large health systems and hospitals have several IT team members dedicated solely to cybersecurity.

An August 2021 report from CyberMDX showed that average cost of a shutdown caused by a cyber incident exceeds $45,700 per hour for smaller organizations with an average shut down time of 10 hours, compared to $21,500 per hour at an average 6.2 hours of down time for larger healthcare institutions. During the first half of the year, ambulatory care practices, including family medicine and specialty clinics, were targeted nearly as often as hospitals, according to analysis of Department of Health and Human Services data.

Growing Cybersecurity Risks and Costs

As everyone's eyes turned toward pandemic response in 2020, cybercriminals focused on healthcare. Early last year, 79% of healthcare data breaches were the result of cyberattacks. The pace ramped up even more in November and December of 2020 with a 45% increase in healthcare cyberattacks.

Cybersecurity Ventures projects that healthcare will suffer two to three times more cyberattacks in 2021 than other industries.

These predictions are holding true, with ransomware being among the top perpetrators. By May 2021, the Conti ransomware alone infected more than 290 healthcare organizations, gaining access to them through malicious links, infected attachments, or stolen Remote Desktop Protocol (RDP) credentials.

Phishing attacks are gaining steam as well, considering how practices rely heavily on email and other cloud communications. The Department of Health and Human Services noted that 42% of breaches in 2020 involved email. These statistics are staggering, but not surprising considering the lack of resources put toward cybersecurity, which is only 6% or less of the total IT spend.

Cyberattacks against healthcare are typically very lucrative for criminals. According to Experian, patients’ full medical records can sell on the dark web for up to $1,000 per patient, compared to credit cards and Social Security numbers, which go for about $5 and $1 each, respectively.

5 Steps to Building a Stronger Cybersecurity Foundation

Small and mid-sized ambulatory care providers may feel that they're hindered by lack of staff, expertise, money, and time to have dedicated cybersecurity staff. Despite these obstacles, cybersecurity should not be viewed as a sacrifice. 

Here's a look at five basic steps these practices can take to lessen the risk of cyberattacks:

  • Conduct an annual HIPAA cyber risk assessment – Given the evolving threats and constant changes, practices should consult with a third-party consulting firm to help identify potential risks and weaknesses, present solutions for how to remediate them, and recommendations on how to stay HIPAA compliant.
  • Turn to the experts for day-to-day protection – Smaller, busy practices aren't likely to have an IT team and their employees don’t typically have the IT expertise or the time to keep up with the latest threats and vulnerabilities. Consider relying on experts from managed services organizations not only for assessments, but for day-to-day monitoring and performing needed security measures.
  • Implement multi-factor authentication – Since compromised accounts are one of the biggest risks, use of multi-factor authentication can help ensure that only the right people have access to their information. With the predominance of email phishing schemes in healthcare, it's also important to educate both the workforce and patients about what to look for and how to avoid getting hooked.
  • Leverage existing investments – Practices likely have tools they are already using that offer solutions. For example, Microsoft Office 365 users often have access to other features, like Windows Defender and multi-factor capabilities for individual accounts. Explore what features and tools are available through existing IT solutions that can enhance security without having to invest more money with another vendor.
  • Endpoint security – Often referred to as “anti-virus”, today’s modern security tools offer much more protection. Windows Defender is an example, but any reputable vendor will greatly increase your security.

Protecting against cyberattacks may seem like an impossible job, particularly as healthcare practices are constrained by limited budgets and overworked employees. But by making strategic yet affordable investments and undertaking specific basic measures, smaller practices can make great strides to strengthen their defenses.

About the Author
Brian Bobo is the chief information and security officer of Greenway Health.