Physician Practices Aren't Immune to Cyber Criminals

In 2015, a record number of healthcare organizations dealt with major data breaches, exposing the protected health information (PHI) of millions of patients. According to cybersecurity vendor Bitglass (Campbell, Calif.), which analyzed records from HHS, roughly one out of three Americans were a victim of a healthcare data breach in 2015.

While most of these breaches occurred at large healthcare organizations - major insurers such as Anthem and Blue Cross Blue Shield; and major health systems such as UCLA Health System - small practices are not immune, says data security expert, Mac McMillan, co-founder and CEO of Austin-based consulting firm, CynergisTek and Chair of the HIMSS Privacy & Security Policy Task Force. McMillan recently spoke with Physicians Practice managing editor, Gabriel Perna, on the failing state of data security in healthcare, what physician practices should be concerned about, and whether or not Phase 2 audits is something that is worth losing sleep over.

Below are excerpts from that interview.

Where do you see data security in 2016?

The threat is clearly a lot worse and is getting worse. The reason it’s getting worse at the moment, the threat community … have pretty much figured out healthcare is not where it needs to be in terms of cyber security preparedness. They're taking advantage of it. We're seeing more and more activity, more ransomware activity, more targeted phishing attacks. It’s like anything else, the bad guys go where it’s easiest to score a victory. Until healthcare realizes that this is not going away … they're going to be a high-visibility target for those folks.

The information we have is more valuable than it has ever been … and the problem remains that healthcare has not ponied up to invest in information security at a level that will make them more resilient to these threats. The physician community, in one sense, they are very vulnerable and in another, probably a little bit better off. If you are a big time cyber thief, are you going to go after a physician's office or a large insurance provider that has millions of records? You're going where the money is. You're going after the bigger guy.

But that doesn’t mean the little guy can't be hurt by some of those indirect attacks. [Cyber thieves] are looking for anyone with an Internet connection that's not secure. If you look at some of these attacks, a big organization … if they get hit with a ransomware attack, if they have done everything correctly … they can recover from it quickly. On the other hand, a small physician practice that hasn't done a good job backing up its data … if its system gets attacked and compromised by ransomware, it will have no access to its data anymore. That is devastating for a small entity. That’s the concern I have for these [smaller practices], these indirect malware delivered-type attacks. The cyber criminals aren't looking for you, but they can find you.

How can practices avoid this fate?

Good blocking and tackling. We make sure that whoever is helping us with our systems is someone we can rely on. Most of these physician practices don’t manage their own systems. Most have it hosted somewhere offsite. That's how it should be. Physicians should treat their data - their systems and EHR - as a service. It should be hosted in a data center where the people managing that system have the wherewithal to do it correctly. When they try to do it on their own, they put themselves at risk.

What are the top changes to regulatory and HIPAA compliance that physician practices have to know about in 2016?

The framework and standards under the Cyber Security Act. No one knows what that looks like [since it hasn't been released yet] … For most physician practices, this will be difficult to get their minds wrapped around.

Also, CMS has announced at some point meaningful use is going away. But if you peel back the onion, it's not really going away. They are just moving it into other the [Merit-based Incentive Payment System program]. The question I have is … what will happen to the privacy and security requirements around EHRs? How will that change?

2016 will have some changes and that’s disruptive to these physician practices. If I were a physician practice, I probably wouldn't do anything until the dust settles on this.

Should practices prepare for a Phase 2 HIPAA audit from HHS' Office of Civil Rights (OCR)?

First of all, you don’t want to play that up too much. There are only going to be 224 audits performed. Across the board, there will be 200 desk and 24 comprehensive audits. That 224 encompasses all types of providers. The number of physician practices going to get audited is probably less than 20.

If you are a physician practice looking at those numbers, do you totally ignore it? No. Do I spend time worrying about it? Absolutely not. They need to know, whoever is managing their environment from a privacy and security perspective, they should make sure that person is familiar with the OCR audit protocol.