Small medical practices are not immune from cyberattacks, but complex recommendations are overwhelming. We present our top 10 cybersecurity basics to protect against data breaches and other cybersecurity risks.
Top 10 Cybersecurity Recommendations for Small Practices
- Know Your Assets. Your assets include computer hardware such as PCs and routers, key software applications such as EHR, PM, Email and cloud file sharing, any medical devices that store or transmit ePHI, and your sensitive data, such as ePHI, billing records, HR/payroll, and business financials. Keep an up-to-date inventory of what you have and where it is. This doesn’t need to be fancy – a simple spreadsheet is fine. Just consider: If you don’t know what you have and where it is, how can you keep it protected? Putting together this inventory is among the first things we do when conducting a risk assessment for our clients.
- Know Your Risks. Too often I hear from clients the mistaken assumption that “we are too small to get attacked.” The reality is very different. Broadly speaking, cybersecurity risks only come in a few scenarios, any of which could easily affect a practice of any size. A good security risk assessment will help you understand your particular risks and worst-case financial impacts. Routine risk assessments are required for HIPAA compliance. Here are the most common risks:
- Targeted attack by an outsider. A nation-state, organized criminal group, or lone hacker specifically targeting an organization, usually for financial, intelligence, or personal reasons. Small practices benefit here from obscurity and anonymity; on the other hand, bad actors know that small organizations have fewer defenses and are easier targets.
- Random attack by an outsider. Most ransomware and other malware attacks fall into this category: infections in the medical sense of the word designed to spread autonomously from host to host across the internet, with no concern for geography or your practice size. (For an eye-opening view of this, read WIRED’s excellent exposé, The Untold Story of NotPetya, the Most Devastating Cyberattack in History.)
- Malicious insider. A current or former employee who takes advantage of insider access is more common than most people are willing to admit.
- Non-malicious error. This is the most frequent source of data breaches in the healthcare industry, according to the Verizon 2018 Protected Health Information Data Breach Investigations Report.
- Third-party risk. Don’t forget the risk that one of your trusted third parties will screw up! Perhaps your EHR vendor, billing company, or IT service provider experiences one of the above incidents. You are ultimately responsible for their mistakes.
- Obtain Cyber Insurance. Get insurance coverage to mitigate the possible financial impacts of a data breach, loss of practice data, extended system downtime, and other cybersecurity concerns. This insurance is generally inexpensive. But the details matter, so work with a broker that really understands cyber policies.
- Backup Your Data. Make sure your sensitive data is backed up regularly, effectively, and securely. If using a cloud EHR and/or PM, understand how your vendor is backing up your data and how to get access to the backups during an outage or security incident.
- Keep Systems Up-To-Date. Use computers with modern operating systems. Apply patches and security updates at least monthly for operating systems, browsers, Adobe products, and Java.
- Enforce Secure Logins. Require strong password policies on all sensitive systems: minimum 8 characters (though I generally recommend at least 10) with some complexity such as numbers or special characters. Train employees to create good passwords (hint: not “Password1234” or “Spring2019!”) and to use unique passwords for each system. Passphrases (ex: “DandelionSharpenerBounce23”) are both easier to remember and generally more secure than the typical password (ex: “C@pta1n$”). Turn on multi-factor authentication (aka two-factor authentication or 2FA) wherever possible for an extra layer of protection around account logins.
- Provide Employee Security Awareness Training. Employees are the most frequent targets of bad actors. Cyber-aware employees become a strength rather than a weakness. Train employees on the cyber risks to the practice. Teach them safe web browsing and email practices, how to recognize phishing and social engineering, and how to identify and respond to possible malware attacks. Conduct this training annually at a minimum, but consider whether a more robust and engaging security awareness program might be right for your organization.
- Install a Commercial-Grade Firewall. The router from your internet provider might be fine for Netflix at home, but when handling, storing, and transmitting sensitive data like ePHI, you want the security of a commercial-grade firewall/router. Commercial firewalls provide threat prevention, block attacks, filter malicious traffic and websites, and also offer speed and performance benefits. Furthermore, numerous attacks have been targeting the weak security of consumer-level routers in recent years. The Mirai botnet and the recent VPNFilter malware that triggered a public FBI alert last year are two examples.
- Encrypt Devices. Implement full-disk encryption on PCs, servers, smartphones, and any removable media used in the practice. This encryption protects data stored on these devices from being accessed in case of physical loss or theft. The Department of Health and Human Services has been saying for years that encryption is key to preventing healthcare security breaches.
- Monitor System Use. One of the biggest cybersecurity challenges for small organizations in any industry is knowing if they have been attacked or compromised. Small practices only need to invest in a little bit of monitoring to make a difference here. These recommendations aren’t perfect, but they’re a good start:
- Review remote logins & login attempts. Keep any eye on who is accessing or trying to access your network remotely via the firewall. Red flags would include login attempts at abnormal hours or from unusual locations.
- Monitor EHR logins. Particularly if using a cloud-based EHR, regularly check the access logs for logins at abnormal hours, unusual locations, or anything else that might indicate a compromise. Same goes if you use a cloud-based Practice Management system or similar.
- Conduct internal EHR audits. Regularly review EHR audit logs for unusual behavior, records access, or updates. These could indicate a potential insider threat or compromise by an outside attacker.
Bonus Recommendation #11: Hire a Security-Conscious IT Managed Services Provider. For most smaller practices, it makes sense to outsource many of the above responsibilities to an IT Managed Services Provider (MSP) with good security capabilities. Quality MSPs who understand the security concerns in healthcare can implement these core recommendations professionally and efficiently, allowing your practice to go back to what you really want to be doing – practicing medicine.