Top two cybersecurity threats facing physician practices

There were 3,139 data breaches reported to the U.S. Department of Health and Human Services between 2009 and 2020. Guanglan Zhan, PhD, professor of computer science and coordinator of the health informatics program at Boston University, highlights four themes among the data breaches. These include:

• Data breaches are trending upward. There were 511 breaches in 2019, 371 in 2018, and 358 in 2017.

• With 335 data breaches between 2009 and 2020, California is hardest hit. It’s followed by Texas with 276 data breaches and Florida with 192.

• Hacking/IT incidents is the top reason for a data breach. There were 941 such data breaches. Theft (at 893 breaches) and unauthorized access/disclosure (at 875 breaches) are second and third, respectively. 

• While the vast majority of breaches were committed by healthcare providers (2,287), 430 were caused by business associates.

“Small- to medium-size physician practices are vulnerable to cyberattacks as they often have less expertise in IT technology and limited resources in place,” says Zhan. “Large healthcare organizations often have an IT team, while physician practices might have one IT employee who works part time. Despite this, [practices] need to comply with the same set of rules, [namely,] HIPAA privacy and security rules and state regulations, to safeguard protected health information.” 

Trending: RVUs: The basics of physician compensation

Here are two of the top cybersecurity threats facing physician practices and advice on safeguarding the practice and patient information: 

1. Ransomware attacks from external parties

The financial cost of ransomware attacks, in particular, is steep, says Gary Salman, CEO of Katonah, N.Y.-based Black Talon Security, which consults with physician practices on cybersecurity matters. UC Berkeley defines ransomware as malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it. 

Salman says most ransomware payments for a single physician average $30,000. In addition, practices need to account for the cost of systems that are down for two to six weeks as they’re being rebuilt and data is recovered.

IT support companies contracted by physician practices are also targeted for ransomware attacks. In fact, some of Salman’s clients have been shut down for weeks as a result of attacks by hackers on the practice’s IT provider, he says. “In many of these attacks, the hackers hit the doctor’s IT company and used the IT company’s remote-access tools to deploy the ransomware to every computer and server they manage in a [physician’s] office.”

Read More: Locum tenens: Rural America’s next provider generation

This presents a double-challenge to physician practices impacted by the data breach, since their IT provider can’t support the practice because their own business has been hit. “Most IT companies are relatively small and can’t support an attack like this simply because they don’t have enough manpower...to fix thousands of computers that were hit in the strike,” says Salman.

Thus, penetration testing is essential. According to the National Institute of Standards and Technology, penetration testing is used to circumvent the security function of a system to assess its vulnerabilities. Physician practices must do penetration testing, since hackers are testing physician practices’ networks constantly with the explicit intention of gaining access to them, explains Salman.

Billing insurance companies for services provided to patients is one immediate concern with a ransomware attack, says Michael Morgan, JD, a cybersecurity and data-privacy lawyer with Chicago-based McDermott Will & Emery. Without access to its billing software, due to a ransomware attack, the practice can’t send out bills. 

2. Employee-related cybersecurity threats

Physician practices can also fall prey to cybersecurity threats by disgruntled employees. This could be an employee who believes they were treated poorly or didn’t get the promotion they wanted, explains Jay Wolfson, DrPH, JD, who teaches health law at University of Florida. As a result, the employee is angry with their supervisor and wants to steal data from the practice.

Limiting access to patients’ clinical information is one proactive strategy for addressing this problem, advises Wolfson. For example, the receptionist and the billing employee don’t need access to patients’ clinical data. Continually reinforcing this policy in quarterly meetings among the leadership team is essential, he says. That’s in addition to educating new managers at the practice during the new employee onboarding process.

The human resources team also has a role to play, advises Jiban Khuntia, PhD, who teaches about information systems and health administration at University of Colorado Denver. Human resources should encourage staff members to communicate about conflict in the workplace so that their anger doesn’t manifest in a negative event for the practice.

Related: The importance of driving continuous quality improvements in risk management and compliance certification programs

Khuntia advises practices to deploy cyber-surveillance software to monitor the behavior of all employees once it has decided to terminate an employee. This strategy can help prevent data breaches when the employee is terminated, he says.

Here’s the approach Khuntia recommends if an employee must be fired: Approximately one week before the employee is fired, the practice should deploy surveillance software that monitors the activity of every team member, not just the employee who is being let go. In addition, all logins and passwords must be changed before the employee is terminated. 

In addition, Salman says practices have to continually train employees about the risk of clicking on links and attachments in emails. When the hacker is successful, they’ll have access to the practice’s network and can compromise the employee’s username and password associated with a device or server. 

Embrace paper to prepare for system downtime

Clyde Hewitt, executive advisor at Austin, Tex.-based cybersecurity consulting firm CynergisTek also has some low-tech advice if a cyberattack occurs. Practices need to be prepared to open the office and have none of the technology working. That involves printing the schedule for the several days or weeks, which will inform staff about the patients expected each day. 

Depending on the type of practice, access to static data, such as allergies and prior medications, can be helpful, adds Hewitt. “Finally, don’t panic, as physicians and clinicians have been treating patients for centuries before computers. Ensure your staff hasn’t forgotten how.”