CategoryHealthcare / HIPAA

10 Cybersecurity Basics for Small Practices

This article previously published at EagleConsultingPartners.com

Small medical practices are not immune from cyberattacks, but complex recommendations are overwhelming. We present our top 10 cybersecurity basics to protect against data breaches and other cybersecurity risks.

Top 10 Cybersecurity Recommendations for Small Practices

  1. Know Your Assets. Your assets include computer hardware such as PCs and routers, key software applications such as EHR, PM, Email and cloud file sharing, any medical devices that store or transmit ePHI, and your sensitive data, such as ePHI, billing records, HR/payroll, and business financials. Keep an up-to-date inventory of what you have and where it is. This doesn’t need to be fancy – a simple spreadsheet is fine. Just consider: If you don’t know what you have and where it is, how can you keep it protected? Putting together this inventory is among the first things we do when conducting a risk assessment for our clients.
  2. Know Your Risks. Too often I hear from clients the mistaken assumption that “we are too small to get attacked.” The reality is very different. Broadly speaking, cybersecurity risks only come in a few scenarios, any of which could easily affect a practice of any size. A good security risk assessment will help you understand your particular risks and worst-case financial impacts. Routine risk assessments are required for HIPAA compliance. Here are the most common risks:

    • Targeted attack by an outsider. A nation-state, organized criminal group, or lone hacker specifically targeting an organization, usually for financial, intelligence, or personal reasons. Small practices benefit here from obscurity and anonymity; on the other hand, bad actors know that small organizations have fewer defenses and are easier targets.
    • Random attack by an outsider. Most ransomware and other malware attacks fall into this category: infections in the medical sense of the word designed to spread autonomously from host to host across the internet, with no concern for geography or your practice size. (For an eye-opening view of this, read WIRED’s excellent exposé, The Untold Story of NotPetya, the Most Devastating Cyberattack in History.)
    • Malicious insider. A current or former employee who takes advantage of insider access is more common than most people are willing to admit.
    • Non-malicious error. This is the most frequent source of data breaches in the healthcare industry, according to the Verizon 2018 Protected Health Information Data Breach Investigations Report.
    • Third-party risk. Don't forget the risk that one of your trusted third parties will screw up!  Perhaps your EHR vendor, billing company, or IT service provider – experiences one of the above incidents.  You are ultimately responsible for their mistakes.
  3. Obtain Cyber Insurance. Get insurance coverage to mitigate the possible financial impacts of a data breach, loss of practice data, extended system downtime, and other cybersecurity concerns. This insurance is generally inexpensive. But the details matter, so work with a broker that really understands cyber policies.
  4. Backup Your Data. Make sure your sensitive data is backed up regularly, effectively, and securely. If using a cloud EHR and/or PM, understand how your vendor is backing up your data and how to get access to the backups during an outage or security incident.
  5. Keep Systems Up-To-Date. Use computers with modern operating systems. Apply patches and security updates at least monthly for operating systems, browsers, Adobe products, and Java.
  6. Enforce Secure Logins. Require strong password policies on all sensitive systems: minimum 8 characters (though I generally recommend at least 10) with some complexity such as numbers or special characters. Train employees to create good passwords (hint: not “Password1234” or “Spring2019!”) and to use unique passwords for each system. Passphrases (ex: “DandelionSharpenerBounce23”) are both easier to remember and generally more secure than the typical password (ex: “C@pta1n$”). Turn on multi-factor authentication (aka two-factor authentication or 2FA) wherever possible for an extra layer of protection around account logins.
  7. Provide Employee Security Awareness Training. Employees are the most frequent targets of bad actors. Cyber-aware employees become a strength rather than a weakness. Train employees on the cyber risks to the practice. Teach them safe web browsing and email practices, how to recognize phishing and social engineering, and how to identify and respond to possible malware attacks. Conduct this training annually at a minimum, but consider whether a more robust and engaging security awareness program might be right for your organization.
  8. Install a Commercial-Grade Firewall. The router from your internet provider might be fine for Netflix at home, but when handling, storing, and transmitting sensitive data like ePHI, you want the security of a commercial-grade firewall/router. Commercial firewalls provide threat prevention, block attacks, filter malicious traffic and websites, and also offer speed and performance benefits. Furthermore, numerous attacks have been targeting the weak security of consumer-level routers in recent years. The Mirai botnet and the recent VPNFilter malware that triggered a public FBI alert last year are two examples.
  9. Encrypt Devices. Implement full-disk encryption on PCs, servers, smartphones, and any removable media used in the practice. This encryption protects data stored on these devices from being accessed in case of physical loss or theft. The Department of Health and Human Services has been saying for years that encryption is key to preventing healthcare security breaches.
  10. Monitor System Use. One of the biggest cybersecurity challenges for small organizations in any industry is knowing if they have been attacked or compromised. Small practices only need to invest in a little bit of monitoring to make a difference here. These recommendations aren’t perfect, but they’re a good start:

    1. Review remote logins & login attempts. Keep any eye on who is accessing or trying to access your network remotely via the firewall. Red flags would include login attempts at abnormal hours or from unusual locations.
    2. Monitor EHR logins. Particularly if using a cloud-based EHR, regularly check the access logs for logins at abnormal hours, unusual locations, or anything else that might indicate a compromise. Same goes if you use a cloud-based Practice Management system or similar.
    3. Conduct internal EHR audits. Regularly review EHR audit logs for unusual behavior, records access, or updates. These could indicate a potential insider threat or compromise by an outside attacker.

Bonus Recommendation #11: Hire a Security-Conscious IT Managed Services Provider. For most smaller practices, it makes sense to outsource many of the above responsibilities to an IT Managed Services Provider (MSP) with good security capabilities. Quality MSPs who understand the security concerns in healthcare can implement these core recommendations professionally and efficiently, allowing your practice to go back to what you really want to be doing – practicing medicine.

Questions about any of these recommendations? Interested in help with a risk assessment or other compliance need? Get in touch with us today via our contact page.


Additional Resources:

More Health Data Breaches Coming, 2018 Data Suggests

This article originally published at EagleConsultingPartners.com

“The trend of at least one breach per day that began in 2016 is expected to continue in 2019.”

That’s one of the conclusions from the recent Protenus 2019 Breach Barometer report, published by healthcare compliance analytics company Protenus Inc. The report, which reviews health data breaches reported during 2018, emphasizes that organizations with Protected Health Information (PHI) still suffer from the same vulnerability areas and fall victim to the same attacks. Furthermore, the number of records impacted per breach is trending significantly upward. As of this writing, 68 breaches affecting 2.6 million records have been reported to the HHS Breach Portal during 2019. That’s more than twice as many affected records as the same period last year.

In short, the trends in the Breach Barometer suggest that the baseline risk of a health data breach is increasing across the board. Organizations with PHI – large and small – need to understand the importance of assessing and managing risks to the organization’s data.

Reviewing 2018

  • The total number of breaches (503) increased slightly from 2017.
  • However, breaches in 2018 affected over 15 million patient records, nearly three times the number from 2017.
  • The number of breached patient records increased every quarter during 2018, as shown in the chart from Protenus below.
Affected patient records by quarter, 2018 health data breaches (Protenus 2019 Breach Barometer Report)

Affected patient records by quarter, 2018 health data breaches (Protenus 2019 Breach Barometer Report)

Key Challenges

Insiders

  • Insiders accounted for 28% of the reported breaches.
  • Incidents in 2018 are fewer vs. 2017, but the number of patient records affected is substantially higher.
  • Insider error was a much bigger problem than insider wrongdoing, both in incident count and records affected. (See comparison below.)
  • “On average, 3.86 healthcare employees breach patient privacy per every 1,000 employees.”
Patient records breached by insiders, 2017 vs. 2018 health data breaches (Protenus 2019 Breach Barometer Report)

Patient records breached by insiders, 2017 vs. 2018 health data breaches (Protenus 2019 Breach Barometer Report)

Hacking

  • Hacking incidents accounted for 44% of the 2018 breaches.
  • Hacking exposed 11 million records in 2018. That’s a huge increase compared to the 3 million records hacked in 2017.
  • Phishing and other employee-targeted attacks continue to be a major problem.

Business Associates

  • Business Associate breaches accounted for 5.3 million records in 2018, about one-third of the year’s total.
  • This number emphasizes the importance of assessing third-party risk to an organization’s protected health information.

Paper Records

  • “89 incidents involved paper records. These incidents affected 586,728 patient records.”
  • Although many organizations are shifting to digital, these paper records remain an area for concern.

Incident Discovery

  • Organizations remain very slow to discover health data breaches, with a mean discovery time of 255 days. In other words, it took on average 5 months for organizations to discover they had suffered a data breach!
  • The worst of these included an insider incident that took 15 years for the organization to discover. Seven other breaches had taken over four years to identify.
  • On the (slightly) brighter side, the median discovery time was 28 days, so the majority of incidents were discovered in under a month.
  • Hacking incidents were generally discovered quickly, while insider incidents took organizations much longer to identify. Due to resource limitations, internal audit teams are investigating only a small fraction of potential violations. This suggests that many incidents are never identified.

Takeaways

Health data breaches are growing bigger and more common. Organizations with PHI continue to suffer the same issues and make the same mistakes, year after year.

Please do not become a headline in 2019. Assess your organization’s risks this year. Take steps to address issues.  Do it for yourself, because it’s good business, and for the good of the people you serve. Don’t become a statistic in the 2020 Breach Barometer report.

Need help with a security risk analysis for your organization? At Eagle, we pride ourselves on providing a thorough, useful, and action-oriented security risk analysis for our clients. Contact us today!

© 2019 Musings

Theme by Anders NorénUp ↑