The Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009 has changed the way in which medical practices store patient information. As of 2011, it provided financial incentives to medical practices that implemented Electronic Health Record (EHR) systems, but only until 2014, after which medical practices may face fines for failure to implement EHR systems.
As a result of this healthcare digitization, however, medical practices and other healthcare institutions are facing an alarming number of cyber attacks. According to a report by Protenus and DataBreaches.net, 27 million patient records were compromised in 2016.
Furthermore, a Data Breach Investigations Report (DBIR) of 905 phishing attacks conducted by Verizon Enterprise indicates that healthcare organizations are the second-most-targeted organizations by hackers, only behind financial institutions (15% and 24%, respectively).
Medical practices can reduce their risk of being hacked, however, by avoiding the following cybersecurity mistakes.
Not Using a Remote Wipe Feature
Statistics show that roughly 68% of all data breaches in the healthcare industry are attributed to lost or stolen devices. If an employee loses a laptop on which Protected Health Information (PHI) is stored, someone may find it and retrieve the data. A simple yet effective preventative measure is a remote wipe feature. Unfortunately, though, it’s also something that medical practices tend to overlook.
By implementing a remote wipe feature on laptops, tablets and other electronic devices, medical practices can remotely delete all sensitive data if a device is ever lost, stolen or otherwise compromised.
Perhaps the single most common cybersecurity mistake made by medical practices is using weak passwords. According to the same DBIR study cited above, 63% of data breaches were caused by weak, default or stolen passwords. If a medical practice uses a generic word for its system’s password, a hacker could easily crack it using a brute-force attack.
Granted, using a strong password isn’t 100% effective at preventing all data breaches, but when combined with other measures it can reduce the risk of a cyber attack.
The Office of the National Coordinator for Health Information Technology (ONC) recommends the following practices when creating passwords:
• Avoid using common words found in the dictionary.
• Avoid using personal information that could be learned by hackers or other nefarious individuals.
• Use at least eight characters.
• Include upper-case letters, lower-case letters, and at least one number and one special character (e.g. exclamation mark or question mark).
The ONC also recommends multi-factor authentication, which involves the use of a second step — PIN, smart card, biometrics, key fob, etc. — in addition to a password.
Not Using Anti-Malware Software
Another common cybersecurity mistake made by medical practices is not using anti-malware software. According to a survey conducted by Healthcare Information and Management Systems Society (HIMSS), more than 15% of medical practices don’t use anti-malware software. Without anti-malware software, these medical practices have opened the front door through which hackers can enter.
A tactic used by hackers to infiltrate medical practices is the deployment of malware through phishing. A hacker may send the medical practice an email with either an attached file or link to an external website. The email appears legitimate and even features a correct “from” address. Upon downloading the attachment or visiting the linked website, however, the medical practice inadvertently downloads malware to their computer, giving the hacker access to stored data.
Cyber attacks such as these can often be prevented, however, by using anti-malware software. Proper anti-malware software should scan the computer or network periodically for malicious software, usually several times a day. Additionally, medical practices should keep their anti-malware and anti-virus software up to date; otherwise, hackers may exploit unprotected vulnerabilities.
Not Encrypting Sensitive Data
Encryption is a highly effective safeguard in preventing the unauthorized access of sensitive data. Technical jargon aside, it involves the conversion of readable data into an unreadable format. There are different types of encryption, though they all work in the same manner by using a complex computer algorithm to make data indecipherable.
Medical practices should encrypt all sensitive data, regardless of whether the data is stored or in motion. If a hacker retrieves encrypted data from a medical practice, he or she won’t be able to decipher it without the associated decrypt key.
Unsecured Cloud Storage Services
According to a survey conducted by HIMSS Analytics, 83% of medical practices currently use cloud services and 9.3% plan to in the near future. Cloud storage services are particularly useful for medical practices, as they allow practitioners to access and edit information from virtually any device with an internet connection. If a document is stored on the cloud, the practitioner can access from his or her office, home or even while they are on vacation.
Medical practices must choose the Cloud Service Providers (CSP) with whom they do business carefully, though. First, the CSP must agree to enter into a business associates agreement (BAA) with the medical practice. Secondly, it must implement its own safeguards to reduce the risk of PHI disclosure, as per the HIPAA Security Rule, Privacy Rule and Administrative Rule.
Shared Login Credentials
What’s wrong with two or more employees at a medical practice using the same login credentials? Well, when medical practices use shared login credentials, it increases the risk of a data breach. A disgruntled former employee, for instance, may use another employee’s username and password to access the practice’s network and steal patient data. Unique login credentials allow medical practices to revoke access in circumstances such as this.
Furthermore, HIPAA requires medical practices to conduct their own audits — and unique login credentials helps. With unique login credentials, medical practices have a digital trail of who logged in to their system, at what time they logged in, and what data they accessed. If everyone used the same login, medical practices wouldn’t know who’s accessing what data.
Medical practices of all sizes should avoid making these cybersecurity mistakes. Not only will they increase the risk of a cyber attack, but these mistakes could also trigger a HIPAA violation and subsequent fines. The bottom line is that all medical practices need to make cybersecurity a top priority.