Healthcare organizations are prime targets of cyberattacks because of the importance and value of patient data. Even a small practice with several physicians will accumulate tens of thousands of patient records over several years of operation. These records include essentially everything about each person: name, address, phone number, email, social security number, insurance information, and personal details of their health conditions. Small practices are just as likely to be attacked–usually by an individual operating from an underprivileged or underresourced country rather than a state-sponsored attack. All an attacker needs to disrupt your practice is a laptop and an internet connection allowing them to operate from anywhere in the world. These individuals are often looking to make just a few thousand dollars, but the damage they will cost a practice can easily be several hundred thousand dollars not to mention the cost to your reputation with your patients and the community.
What Do We Need to Know?
Most physician’s computer-security knowledge begins and ends with the antivirus program on their computer. Although antivirus software is an important component of cybersecurity, it is only one of many components. Managing cybersecurity is a very complex topic, encompassing networked computers, cloud-based applications, passwords, staff, training, and establishing safe processes. A cybersecurity attack can result in everything from identity theft, to extortion attempts, to the loss of important data like patient records, company financial records, or reputation.
Imagine an attack on your practice’s computer network with a denial of service (DOS) attack. You will lose your internet connections, your email, maybe your phone system, fax, and your EHR. Normal operations grind to a halt for your practice. The attacker demands $100,000 to return your network service. What do you do? This example is a realistic scenario that can easily happen to your practice.
Critical Questions
Deciding where to begin addressing cyberattack threats can be daunting, but there are core questions you can ask that will help you develop a plan for managing cybersecurity.
What Software Should We Use?
A medical practice needs more than just simple antivirus software on each computer. You need to be a network solution encompassing antivirus, antimalware, firewalls, email security, and intrusion prevention systems (IPS). Although there are companies that offer do-it-yourself solutions (eg, Avast, Trend Micro, and Semantic), it is a better investment to have an IT professional install and manage network security applications because of the complexity of systems and constantly evolving threats and software updates.
Do We Need a Password Plan?
Absolutely and emphatically YES! Passwords are the first line of defense for protecting digital information in your practice. The dangers caused by using simple passwords are very real. Hackers can and will find ways to install malware and steal patient or financial information. You must have a password policy to ensure consistent and strong passwords for everyone in your practice.
Should We Backup Our Data?
There are many ways data can be lost in a medical practice, ranging from natural disasters to power outages or employee turnover. Ransomware is continually in the news, with new strains entering businesses in clever new ways to encrypt and demand ransom for the hijacked files or a DoS that totally shuts your network down. Making regular and effective data backups is core to your cybersecurity plan. The time and cost to implement data backups is minimal compared to the weeks and months needed to recover from a serious loss.
Summary
Answering these questions will lay a foundation for a cybersecurity plan for your practice. The next steps are to implement a detailed cybersecurity plan, checklist and training for everyone in the practice.
