While news reports typically cover healthcare cyberattacks targeting larger organizations, cybercriminals are not only interested in data from the big players. Thinking your practice is likely to be safe because of its smaller size and thus choosing not to make healthcare IT security a top priority could cause you legal and financial distress.
Statistics show that all organizations — regardless of their size — are at risk of an attack. FierceHealthcare, covering a Protenus and DataBreaches.net report, notes that more than 41 million patient records were breached and 572 incidents were reported in 2019. The article states that the number of reported incidents is likely to be a "huge underestimate," and there continues to be at least one healthcare data breach per day.
A review of the data posted to the federal government's "wall of shame," which identifies those organizations with reported breaches over the past 24 months of unsecured patient health information affecting at least 500 individuals, reveals nearly 350 reports of breaches affecting fewer than 5,000 individuals.
A Boston Business Journal report notes that healthcare data remains highly desirable to criminals. It's worth about three times as much on the dark web as bank data. Credit card numbers, routing numbers, and other financial data can be changed, but healthcare data by its nature cannot, which enhances its value and appeal to criminals.
What also makes practices and other smaller-sized providers, such as ambulatory surgery centers (ASCs), attractive targets are their perceived — and likely — security vulnerabilities. Whereas bigger organizations with larger budgets tend to invest significantly in security measures to help prevent breaches (although not always successfully,) a practice's budget, including money for cybersecurity, is likely to be much smaller. When fewer resources are dedicated to healthcare IT security, practices will likely not invest in enterprise-type security measures, making themselves more vulnerable to a security breach.
Furthermore, because practices spend less on IT security, a breach may not be discovered for some time. Once a system is breached, cybercriminals can continue to monitor and steal new data added to the system.
Best Practices to Strengthen Healthcare IT Security
Even though practices typically lack the technology and security budget of larger providers, there are still steps to be taken that can strengthen data security. Here are six worth taking.
1. Install antivirus/antimalware and intrusion detection software
This might seem like an obvious step to begin with, but its importance cannot be overstated. Such software is critical to protecting data. Once you select and install this software, ensure the programs are kept current and licenses always remain active.
When choosing software, it is advisable to steer clear of freeware. Free programs are often missing essential features included with paid versions of software, such as the ability to schedule routine scans and automatic updates. In addition, free versions are often reactive programs. This means they are designed to address threats and attacks after they have occurred and possibly inflicted damage.
2. Immediately stop using unsupported operating systems and software
Is any of your computer hardware still running on Windows 7 or Windows Server 2008? If so, you'll want to upgrade or replace this hardware as soon as possible. That's because these operating systems had an end-of-life (EOL) date in January 2020, meaning that their continued usage brings substantial security vulnerabilities.
When a software's EOL date is reached, support and updates are essentially no longer available from the vendor (in these cases, Microsoft). While your practice is still capable of using computers with Windows 7 and Windows Server 2008 as operating systems, doing so is not advisable. Without support and updates, new vulnerabilities and technical issues are no longer addressed, making continued usage of these computers a massive security risk. And if computers with these operating systems are used for anything involving protected health information, your practice is effectively non-compliant with HIPAA and the HITECH Act.
Even if your practice has a single computer running Windows 7 or Windows Server 2008 on your network, with all computers and services running newer operating systems, your network remains vulnerable and all data remains at risk. The best practice here: Migrate away from software with approaching EOL dates before the date arrives or when you identify computers still using unsupported software. In the case of Windows 7 and Windows Server 2008, this likely means migrating to Windows 10 and Azure, respectively.
3. Educate and train staff on HIPAA
Education and training on the HIPAA Security Rule should occur regularly and be kept current, reflecting any revisions to regulations and new best practices. Practices should also strive to confirm that any business associate (BA) and BA subcontractor that handles their data is following HIPAA rules. Examples of BAs may include healthcare IT security companies, revenue cycle management companies, consultants, and collections agencies.
4. Arrange for a security awareness phishing campaign
Phishing is an online scam that cybercriminals use to target victims by sending them an e-mail that appears to be from a trusted or believable source. This can include everything from members of an organization's leadership or human resources team to a bank, Internet service provider, employee benefits provider — even a cybersecurity awareness company. These emails — which attempt to exploit social engineering — ask the recipient to provide personal identifying information and sometimes user names and passwords. The cybercriminal uses the information to open new accounts or invade existing accounts.
A security awareness phishing campaign is an employee training tool that can be provided to a practice by a healthcare IT security consulting firm. The campaign simulates a phishing attack and tracks how recipients respond. Based on the results, employees can receive increased training on how to spot and properly report suspected phishing attempts. These campaigns, when performed regularly, are an effective means of heightening awareness of phishing and strengthening protection against it.
5. Undergo a security risk assessment
An IT security risk assessment is another worthwhile service provided by some healthcare IT security companies. It is designed to analyze a practice's current IT environment and identify security gaps that should be addressed.
A good healthcare managed services provider will generate a report for the organization that not only identifies vulnerabilities but also includes best practices, guidance, benefits of potential investments in technology, and a remediation plan and solutions if gaps are identified. Practices should receive regular security risk assessments performed by a qualified third party, regardless of whether you have an in-house IT provider in place. A third-party healthcare IT security firm is more likely to provide an objective report.
6. Take immediate action when staff changes occur
When a staffing change occurs at your practice, IT security should be treated as a top priority. Immediately remove or at least make inactive the user accounts of any outgoing staff — even those leaving on good terms. Any delays in making such changes can leave your systems more vulnerable to cyberattacks.
If you put off removing user accounts, perhaps to focus on recruiting or onboarding a new staff member, you may ultimately forget to do so for some time. This will only prolong your vulnerability. It is a best practice to include an IT termination checklist with your employee termination policy and procedures and to follow that checklist with every existing member of your staff.
Take Your Practice's Healthcare IT Security Seriously
Cybercriminals get savvier by the day and are just waiting for practices and healthcare organizations of any and all sizes to take their healthcare IT security for granted. Even the smallest IT vulnerability can be the entryway for a cybercriminal to access your practice's network. Once in your network, it is only a matter of time before this criminal accesses sensitive data. And if that happens, the situation will likely be difficult and costly to resolve.
