Cybersecure? Be Sure
In a recent patient privacy and data security study by Ponemon Institute, 96 percent of health care providers surveyed indicated that they’d had at least one data breach during the previous two years.1
In this Pulse article, we examine ways to minimize the risk of the very real threat of breaches of cybersecurity:
- Recognize potential threats to your medical group posed by cyber criminals
- Understand the impact of data breaches to your practice
- Identify potential risk areas
- Take steps to mitigate your information system vulnerability
You probably know someone who's been a victim of personal identity theft, or perhaps experienced it yourself. You understand the impact of that data breach: The money that often can't be recovered; the hours, weeks and months spent explaining to authorities, negotiating with creditors and trying to restore creditworthiness. Now think about your medical practice. Could it be vulnerable to the same kind of attack? If your valuable patient or practice data fell into the wrong hands, how would your practice be affected?
Like identity theft, medical data breaches are no longer rare events, and they're becoming even more common as medical information systems become increasingly connected and extended through electronic health records (EHRs), health information exchanges (HIEs) and mobile devices like tablets and smartphones. These breaches can not only have an immediate financial impact on your practice, but they also can result in lost time and productivity, damaged patient trust and goodwill, potential fines, and diminished brand and reputation that can take years to repair.
The answer is not to avoid these new technologies, but rather to understand how data breaches occur and what you can do to prevent them. Now – not after a data breach happens – is the time to protect your practice from cyber threats, in the same way you already take steps to protect your personal data from identity theft.
You may not be aware of it, but every day, the creators of "malware" – short for malicious software; malware includes viruses, worms, spyware, Trojans, bots, rootkits and other malevolent intruders – are looking for ways to access your practice's sensitive data in order to sell it to the highest bidder or use it for their own nefarious purposes. Medical practices are prime targets: They house what is arguably the most comprehensive database of confidential information about Americans - valuable personal, clinical and financial data. To make matters worse, they're often protected by relatively modest information technology.
Start here to protect your information systems from malware:
- Implement a robust antivirus solution practice-wide. Anti-virus solutions are a cornerstone for protection from cyberthreats. Key characteristics to look for when evaluating options include the ability to maintain system processing speed and employee productivity (slowing computers is a common problem among many antivirus solutions); detection intelligence that automatically monitors and identifies security deficiencies; and a user-friendly interface that makes it easy to administer the application. Deploying the solution across your practice's computer network is both more effective and efficient than installing it on individual workstations. Purchase your own solution, or contract with an IT vendor which offers one.
- Download and install software patches immediately. Patches – the term for a software update (usually a download) that is issued by the software's author to fix a bug, enhance security, or add a new feature - not only corrects various "bugs" or annoyances for users, but they also thwart many of the new and emerging malware in order to keep your network, its computers and peripheral devices safe. Software vendors release patches frequently – sometimes daily – so it's important to obtain and implement them promptly across all devices, operating systems and applications. An automated network solution can help your practice manage these tasks so a staff member doesn't have to do it manually.
Malware attacks have become increasingly prevalent, with more than 55,000 new malicious programs uncovered each day.2 Protect your practice before you become a victim.
Data security threats can come from anywhere – including, unfortunately, your own practice. These threats may be unintentional – as with an employee who doesn't realize that his or her personal use of the Internet may expose the practice to risk – or deliberate – as with an employee who accesses information with the intention of performing a criminal act.
Tactics you can deploy to protect your practice from internal vulnerabilities include:
- Limit access to reduce a security breach - and improve productivity. It comes as no surprise that observers agree that employees waste precious minutes – even hours – daily using the Internet for their personal gain or entertainment. Whether it's Facebook or Gmail, the draw of unfettered access to the Internet means that your employees are unproductive at a time when you need them the most. Deploy a web monitoring solution to restrict access by user or groups of users (the business office, for example), allowing the practice to block or limit access to non-work related sites including personal webmail sites like Hotmail. Assess employees' Internet activities by monitoring browsing and downloads, an action that can swiftly identify truly problematic employees, such as one surfing a questionable website, as well as set the tone that your practice won't tolerate a non-productive workforce. These limitations will also reduce the risk of a malware attack or other cyber-based problem.
- Implement monitoring software. It's better to prevent data breaches than to clean up after them, but monitoring software can provide a virtual paper trail after the fact, should a breach ever occur. Each time data is extracted from your system, this technology logs important details, including what was viewed or extracted, the person who logged in to do so, the workstation used, and the date and time.
- Make staff training a priority. More than 50 percent of the healthcare organizations participating in the 2011 Ponemon study revealed that neither business office nor information technology (IT) personnel in their organizations understood the importance of patient data protection. Establish policies and procedures for handling sensitive and critical data, including protected health information (PHI), as well as credit card data. Give continuous attention to staff training about computer security, guarding one's passwords and mobile devices, and the legal consequences of violating state and federal privacy laws. Institute an Internet acceptable use policy, and communicate to employees the benefits of having such a policy so they understand its purpose.
- Protect mobile devices. Most physicians now carry a smartphone – and it's not uncommon for physicians, administrators and staff to download financial or even confidential patient data on a thumb drive or other mobile storage device. The use of smartphones, thumb drives, laptops, tablets and many other mobile devices means that your internal data is being transported outside of the practice. It's critical to protect your practice against data breaches by securing all mobile devices through robust password protection, encryption and safeguard software. For portable storage devices like thumb drives, it's important to limit access to external downloads, as well as to control what types of files can be downloaded. Your practice needs to not only restrict access, but also encrypt the data before it is downloaded. This extra layer of security allows appropriate access by legitimate users, while preventing access to those with damaging intentions.
Most physicians are still on the incline of the learning curve when it comes to automating their practices. A key lesson they're learning is the importance of understanding the potential risks – as well as the rewards – of new technologies. Take a fresh look at how data flows inside and outside your practice, pinpoint the weaknesses in your information systems armor, and then put in place the safeguards necessary to protect your valuable asset: your data.
1. Secure Fax
Communication by fax remains a way of life, even for computerized practices. But when you consider that inbound paper faxes can remain on or near a fax machine for hours waiting for pickup, and that outbound paper faxes may wait to be transmitted or remain in the outgoing tray long after they've been sent, it's clear that this familiar device represents a significant data security threat. A fax server integrated with your network can reduce this threat by allowing inbound faxes to be received – and outbound faxes to be sent – directly from your computer system. Not only are faxes transmitted this way safe from prying eyes; they also can be tracked for security audit purposes. In addition to preventing security challenges, a fax server saves money by eliminating the cost of paper and printing, as well as promoting efficiency.
2. Malicious Mail
Be aware: Cybercriminals send emails in an attack that targets users by mimicking the configuration of communications sent by banks and credit card companies in order to gain access to personal information. These emails, or fake URLs planted in search engines under popular searches, steal personal data when unsuspecting users download malicious attachments or log on to poisoned websites. Years ago, these malicious emails were easy to identify by their "fake" nature – today's emails are more sophisticated, designed to feel even the seasoned user. These attacks are designed to grab pieces of data to later use for the criminal's gain, infect machines or even an entire network, or literally turn the computer under attack into a robot by installing a Trojan that exerts control over it. Recognizing the severe consequences if caught, savvy cybercriminals are getting out of the business of using the data themselves, instead selling the data – or access to these "robot" computers. Imagine if your practice is unknowingly under attack, with a criminal's intention to sell access to one of your computers – or perhaps your practice's entire network. It's a frightening, but real proposition. It pays to take stock of how your practice's data is protected – today.
3. Lock-em Up
You realize that you accidentally left your iPhone in the hospital's coffee shop. After you turn up empty in your search, the panic sets in. Not only did you have sensitive financial data about the practice in several recent emails that you received, but the device also contains your rounding lists from the past month, as well as your hospital charges. Don't let this scenario leave you suffering from a panic attack; protect your iPhone by locking its screen with a password. (Consider turning off the "simple passcode" option, instead choosing to lock your phone with a more protective passcode, an option on most versions of the iPhone.) This first layer of protection, however, is likely not enough for a person with nefarious intentions. At minimum, set your iPhone's passcode lock to automatically erase your device after 10 failed attempts. For most criminals, this will prevent the data from being retrieved. For the ultimate in currently available security measures, purchase smartphone-protection software, which can lock down a stolen phone, preventing the finder (or stealer) from placing outbound calls or accessing data. Such software can also help you track the handset on a map using another device, remotely wipe all of the phone's data, and notify you if someone changes the phone's portable memory chip – the Subscriber Identity Module (SIM) card.
4. Security Standards
Although you may be concerned with how to react to the growing challenges posed by cybercriminals intent on accessing your practice's data, your practice should already be in the throes of protecting itself. To comply with the Security Rules – the short, common name of the Security Standards for the Protection of Electronic Protected Health Information (EPHI), adopted to implement provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) – your practice needs to be taking steps to protect its data. For example, the Security Rules require that you conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of your EPHI. View the government's rules – and the penalties for failing to abide by them.
- Second Annual Benchmark Study on Patient Privacy & Data Security, Ponemon Institute Research Report, December 2011
- AV-TEST Institute, February 2012