Hackers aren't only targeting large health systems anymore.
Medical practices all over the country are struggling with a truly thorny issue: the risk of a cybersecurity attack. In the past, breaches were less of a concern for smaller practices; hackers seemed content to target large health systems. Unfortunately for those in charge of keeping patient information safe, that’s no longer the case.
Patient data is so valuable — and smaller providers are more vulnerable — that hackers are increasingly targeting physician groups. A report from the cybersecurity firm Critical Insight found that the number of attacks on physician groups rose from 2% of healthcare attacks in the first half of 2021 to 12% in the first half of 2022.
One reason for the increase is the number of attacks on EHR systems through business associates (BAs) and third-party vendors. The BA category accounts for 15% of all breaches, with 74 BA breaches reported to the Office for Civil Rights (OCR) in the first eight months of 2022. Of course, the ramifications for fines, remediation, bad publicity, increased cyber security insurance premiums and credibility loss are the same, regardless of whether hackers gained access to the practice’s system directly or through one of their third parties.
There has also been an overall rise in ransomware breaches, in which attackers hold patient data hostage until a ransom is paid. The Verizon 2022 Data Breach Investigations Report found an almost 13% rise in ransomware, an increase as large as the last five years combined. Ransomware attacks are, of course, especially troubling for medical facilities, forcing them to cancel patient appointments and scramble to treat urgent needs while wondering when their systems will become available.
Many small practices are particularly ill-equipped to deal with a cyberattack. They usually have a small IT staff or outsource that function, and the designated HIPAA security officer may also be the practice administrator and designated as the HIPAA privacy officer. IT security may be outsourced, which isn’t necessarily a bad thing, but an emerging cybersecurity situation isn’t the ideal time to test that relationship.
The good news
The U.S. Department of Health and Human Services (HHS) is aware of these issues and has been working to provide practices of all sizes with up-to-date cybersecurity information. The Cybersecurity Act of 2015 led to the creation of HHS’s CSA 405(d) program, which aims to help build cybersecurity resiliency across healthcare and public health.
The 405(d) website, launched in 2021, contains a wealth of information, much of it written in layman’s terms. In addition to a section on why cybersecurity matters, there are:
Speaking of OCR, it has a Health Information Privacy section on its website that contains detailed information on the HIPAA Privacy Rule (with guidance), the Security Rule, the Breach Notification Rule (with information on breach reporting), the Patient Safety Rule, HIPAA enforcement, HIPAA and telehealth, and BAs (more on this below). There’s also an FAQ page and a section with free training materials and additional resources.
The other good news
Strong cyber hygiene is the best defense against cyberattacks — and it’s not all that complex. Hygiene-boosting tasks include patching as soon as patches become available, adopting multi-factor authentication, and conducting both an annual risk assessment and regular penetration tests (these often require help from an outside expert).
Although these measures won’t deter the most determined hacker, that’s almost not the point. Hackers want a fast, easy way into your system. If your network doesn’t fill that bill, they’ll abandon their planned attack and move to an easier target.
There are two caveats to this: humans and BAs. The 2022 Verizon report found that 80% of breaches involved humans in some way (e.g., social attacks, errors, and misuse). Education is the key to protecting against these types of attacks, which is good news in the sense that it can be done by an outside firm and doesn’t involve complex technology. Phishing attempts get more sophisticated all the time, so ongoing education is important for success. Some practices may want to go as far as hiring a company to send (fake) communications to their staff so they can refer those who click on the links for further education.
When it comes to BAs, the first order of business is putting someone in charge of understanding who is a BA, making sure all BAs have signed a contract, tracking renewals for those contracts, and staying up to date on BA-related regulations. The OCR website is a good resource for this part of the process.
Next, it’s a good idea to seek assurance that each business associate is aligned with the organization in terms of the risk each BA could introduce to the organization. Associates with peripheral links to a covered entity may not need as stringent due diligence performed as would central BAs who are sharing large amounts of privileged information on a daily basis. Additionally, vendors can seek certifications from trusted organizations like EHNAC and HITRUST to prove their commitment to data safety and stakeholder trust. Certifications are considered the gold standard of assurance around security policies.
It’s easy for small practices to become overwhelmed when evaluating cybersecurity risk and working on a strategic plan. A glance at the news shows that cybercrime is a serious issue for healthcare organizations of all sizes. However, with the right resources and a thoughtful plan that leverages the practice’s abilities and uses outside experts to fill in the gaps, lowering a practice’s cybersecurity risk is achievable.
Lee Barrett is Commission Executive Director at DirectTrust, and Michael Parisi is Vice President of Adoption at HITRUST.