The healthcare industry is a sitting duck for cyber attacks. These 2016 statistics are alarming:
- Major healthcare cyber attacks increased 63%
- There were 93 major attacks
- Attackers were to blame for 31% of major HIPAA data breaches
- 11 million patient records were compromised in June alone
Why is the healthcare industry such a target?
Attackers take advantage of the weakest link in your systems – and quite often healthcare practices do not have the resources to properly protect their data. When healthcare accounts are breached, attackers gain easy access to your full patient records containing extremely sensitive information such as credit card numbers, insurance information and medical history. Quite simply, it’s a one-stop shop for valuable information; the larger the practice, the better. This not only makes your patients vulnerable to identity theft but it also creates great distrust of your practice as a whole – for your patients, future patients, your referral network and your staff. The effects of a serious data breach can lead to disastrous consequences for your business, especially if a patient decides to litigate against you for damages.
Why aren’t healthcare practices more prepared?
Having internal expertise to combat such events as well as technology in place is not only expensive but also time-consuming. Some practices simply do not take proactive measures to put plans into place to monitor potential threats. When an attack has occurred, there is a reactive approach as they scramble to remediate the consequences and try to assure patients, partners and staff that the breech is under control.
Now is the time to change from reactive to proactive.
It is of the utmost importance that your practice does everything possible to mitigate your risk of cyber attacks. Here are 6 tips you can start implementing today:
- Identify Your Top Risks
Take time to analyze your practice and identify exactly where your most valuable information is being held. Do you have an internal or external database server? Do you use internal hardware to house this information or do you store data on an through cloud storage? How are your Electronic Medical Records (EMRs) protected? Prioritize the importance of each asset so you will know which are the most critical to your practice.
- Put Security Controls in Place
Monitoring systems should always be running to identify unusual or suspicious activities. There should be a team in place to not only make sure these systems are running smoothly but also to control the security of your infrastructure. If a breach is suspected, a pre-planned crisis response program should be implemented immediately to minimize damage.
Your patient data must adhere to rules and regulations surrounding security and data segregation. The HITRUST CSF is a security system that takes federal, state and third party regulations for security, privacy and regulations into consideration to keep them all in harmony.
- Monitor Your Partners
The HIPAA Omibus rule, among other things, enforces the same personal health information protection standards for your partners (such as referring doctors and vendors) as your practice. If these partners are not performing their own due diligence in safeguarding patient information from cyber attacks, including staying current with new risks, your own practice could become liable for breaches. It is highly recommended that your practice take the time to have reviews of each partner’s methods of monitoring, reducing and responding to threats.
- Be Ready to Change
Just like technology is always changing, so are cyber threats. If you are not continually researching the latest threats, scams and cyber attacks, your practice will become vulnerable. Your internal team needs to know which threats to focus on in order to minimize the effect on your practice. Your defensive plan cannot be held up by office red tape – these new threats can come on fast and furious so you need the support of your management team to act fast.
- Keep the Information Flow Going
Your cyber security plan must be known practice-wide – especially to upper management. Regular reports as to the state of your security risks, IT protocols and potential threats should be shared with the proper parties within your practice. The senior team should be aware of how your system is set up and how it is monitored so if there is a cyber attack there does not need to be basic level cyber intelligence training. Instead, the team can move into full response mode as quickly as possible to minimize damage.
- Get Help
This may all seem like an insurmountable task for practices. Luckily, there are organizations that can help you devise a process to safeguard against threats as well as respond to breaches in the most effective manner possible. At Advantage Healthcare Consulting, we have a partner network with these resources. While our partners can’t prevent a cyber attack from occurring, their systems can keep you one step ahead of the game and give you and your patients peace of mind.
If you would like to learn more about your options to keep your practice cyber threat ready, contact us today.