As a healthcare provider you are your patients’ confidants. Patients willingly offer personally identifiable information (PII) in the form of addresses (physical and email), social security numbers, payment details (credit card, bank, etc.), health insurance information and personal and family medical histories. All of this information assumes both doctor-patient confidentiality and proper safeguarding measures by the medical institutions. But the reality is that while efforts ARE made to protect PII, the healthcare industry is slow to adopt new patient-facing technologies, which includes cyber security defenses. This makes health care providers ideal targets for cyber criminals.
If your practice is the victim of a data breach, it causes a chain reaction of problems from damaging the reputation of the practice, mistrust of the public, stress and anxiety of employees, delays of care, and expensive recovery options - which add up very quickly.
Here are some Healthcare cyber resilience best practices:
1. Security Awareness Training
It is important to train and educate your staff. 95% of data breaches are caused by a staff error. This is an inexpensive way to protect your practice and train employees on what to look in terms of “phishing“ and the danger of opening email attachments from an illegitimate website that looks legitimate. Most have heard of the terms “phishing”, “spear phishing” and “ransomware” but have no idea how to recognize these crimes when it’s happening. Ransomware is a real threat to medical practices. It basically holds your data hostage and extorts your practice until a payment is made for decryption. All it takes is one employee to open a fake email and attachment that appears interesting and the program encrypts/locks all the data on the someone’s computer. This can also spread to other computers and servers on the network. This alone could result in the shutdown of your business for weeks if not indefinitely. Recent ransomware attacks in the healthcare sector are on the rise.
2. Data Governance
Be mindful of who you are hiring and limit access to only what is necessary to perform their job function. While outside hacking is a major cause for concern, insider breaches are a leading cause of data breaches, according to HIPAA. It is very common for employees to steal patient information.
3. Data Controls
Make sure passwords are changed regularly in accordance with a formally communicated password policy. The policy should be enforced automatically on network login and overseen by trained IT resources (full time or part time).
4. Disaster Recovery
Develop and document a formal disaster recovery plan which backs up data and information to an offsite location – and performs regularly checks to determine that the data is backed up correctly and is accessible. This will protect your practice from any loss of data should your business fall victim to a cyber attack.
5. Cyber Risk Management
Conduct a security risk assessment (SRA) as required by the HIPAA Security Rule. The SRA is a very important step to understanding the risk to your practice and patient information and how to prepare if there were a disaster. An SRA will inventory patient information and put safeguards in place to protect the privacy of patients with recommendations on how to lower the risk to the underlying data. It is recommended that this should be obtained through the services of an experienced outside professional – and not to do this on your own. You cannot pass a HIPAA compliance audit without it.
6. Cyber Insurance
Cyber resilience doesn't end with protective measures for your infrastructure, it also needs to include the right cyber liability protection for business continuity so that you are able to remain in business if such an attack were to happen. Having this type of insurance would provide your practice with the financial protection if a cyber attack occurs.
Broad Street Labs provides cyber insurance brokerage and risk advisory services to small and medium sized companies. With over 20 years of experience advising companies in the technology, legal, financial, and healthcare sectors, Broad Street Labs understands the unique challenges of building security organizations and developing cyber programs that can keep pace with the constantly evolving threat landscape. Cyber risk is no longer a siloed technical function but part of the overall integrated business risk strategy. Our goal is to ensure our clients' businesses have the right teams, tools, and protection in place for sustained revenue growth and business continuity.