Almost every industry is susceptible to cybercrime, however the medical sector arguably faces the most risk.
Patient health data sells for more money than any other kind of information on the black market according to the Ponemon Institute, and ransomware has emerged as a highly effective hacking method, allowing cybercriminals to easily infiltrate a network, access and copy patient data, and keep that data inaccessible until a ransom is paid. HIPAA, HITECH and cloud-based technologies aim to help medical organizations remain secure, however often the resources and infrastructure they require lead to further stress and complexity.
No matter the size or resources of your medical practice, it’s critical to remain proactive and vigilant when it comes to cybersecurity, because every organization is a potential target. To protect your business, staff and patients from malicious hackers and remain continually compliant, consider the following six cybersecurity best practices:
1. Duplicate Storage
Given the enormous amount of data medical practices produce, cloud technology can be an ideal storage resource, offering infinite scalability and relative affordability. However as widespread data breaches and natural disasters have demonstrated, it’s critical to separate valuable healthcare data from cloud data centers so that at least one copy of the data remains intact in the event of a security incident. Use cloud technology to replicate and store your data, and make sure a replica of that data is stored offline via encrypted backup tapes.
2. Protect Biomedical Devices
If your medical practice houses any biomedical devices that are connected to the internet, such as MRIs or insulin pumps, you could be providing cybercriminals an easy entry point for
commandeering the device and stealing its data, including patient records. Thankfully, biomedical device vendors are required by law to help medical organizations reach HIPAA compliance, even if their products are already FDA-approved. So consult with your vendors to ensure their products are compliant, and work with them to make adjustments if any cybersecurity gaps remain.
3. Draft Communication Plans
In the event of a cybersecurity incident, it’s crucial to have a predetermined plan in place for communicating with staff and patients to keep them informed and secure. Outline a clear chain of command and make sure you have the correct contact information in place at all times. Consider implementing critical messaging software to support instant, real-time communication in the event of an emergency, and make sure to continually test and update your crisis communication plans as needed.
4. Train Users
A medical practice’s cybersecurity is only as strong as its weakest link, and all it takes is one user -- even a well-intentioned one -- to cause that chain to break. Educate your staff and your patients on cybersecurity best practices such as using strong passwords, implementing two-factor authentication and accessing sensitive files only from trusted devices. Make sure your staff understands how to handle a situation if/when they think a cybersecurity incident has occurred, and continually remind your patients of the critical role they play in the security of their personal health data.
5. Control Shadow IT
Shadow IT refers to computer systems, apps or devices being used inside organizations without explicit organizational knowledge or approval, and it can cause serious harm to medical practices. When staff alternate between using a work laptop and a personal smartphone, for instance, or use unvetted, cloud-based services such as Dropbox or Google Apps, significant cybersecurity gaps can develop. Outline clear Shadow IT and BYOD (Bring Your Own Device) policies and make sure your entire organization is aware of the resulting security consequences, especially as your business grows.
6. Get Cyber Insurance
Cyber insurance is an important, final step for comprehensive cyber protection, especially given the significant financial demands many medical practices face as a result of cybersecurity attacks. Look for insurance plans that cover immediate business costs as well as data breach funds, which insure some of the expenses associated with a data breach including the cost to retain legal services to determine regulatory obligations, the cost to notify people whose sensitive personal information has been breached, and the cost to provide those people with up to a year of credit monitoring services.
According to research from Experian, cybersecurity attacks cost the healthcare industry over $5.6 billion each year, and even more alarming, the Ponemon Institute found a staggering 90% of healthcare organizations have suffered from a data breach over the past two years. Safeguard your medical practice, staff and patients by leveraging cloud technology in addition to offline storage solutions. Make sure your internet-connected devices are secure, implement clear crisis communication plans, and continually educate your staff and patients on the perils of lackluster cybersecurity. Lastly, look to comprehensive cyber insurance to protect your business's bottom line, before it's too late. In doing so, you’ll be better equipped to combat determined hackers and the ever-evolving healthcare IT threat landscape.
by Anita Sathe, GM of CoverHound and CyberPolicy
The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.