Cybersecurity—Keeping Your Practice Data Safe in Healthcare’s Hack-Prone Environment
Written by: Jeremy Maxwell, Vice President and Chief Security Officer, Veradigm and Cheryl Reifsnyder, PhD
This October is the U.S.’s 20th annual Cybersecurity Awareness Month, a month dedicated to raising awareness of the importance of cybersecurity for staying safe online. In honor of Cybersecurity Awareness Month, Veradigm is bringing you this 2-part series on cybersecurity for today’s healthcare practices.
Cyberattacks are one of the most significant risks facing the healthcare sector today—and they’re on the rise. HIPAA reported a 25% increase in healthcare data breaches in 2020, or more than twice the number reported 6 years ago and 3 times the number reported in 2010.
In 2020, the healthcare sector’s average cost of a data breach was $7.13 million—but the cost isn’t purely financial. Practices with data breaches also suffer from patients leaving the practice; lost referrals; and diminished staff morale. Perhaps most significantly, cyberattacks disrupt the ability of healthcare professionals to provide effective patient care. Cyberattacks can:
- Interfere with the practice’s ability to access patient information
- Interrupt their ability to transmit patient data to other healthcare entities
- Interfere with the functioning of medical equipment attached to the computer network, such as heart rate monitors
- Enable hackers to make changes to patients’ records—changes to diagnoses, test results, physician notes, and more
Maintaining an effective cybersecurity program is critical for medical practices. Well-designed cybersecurity can reduce system vulnerabilities and the risk of cyberattacks and data breaches.
This is especially important because 95% of data breaches result from human error. In this article, we review one of the most common sites of human error that can lead to data breaches: email. We also provide a list of action steps you can take to help protect your practice from cybercrime, both through email and in other areas.
The dangers of phishing
Email is one of the areas in healthcare most vulnerable to cyberattacks. If email is compromised, it opens the door for potentially devastating data breaches; it could even result in trouble with the federal government.
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a law protecting patient rights and privacy. It defines the standards for safeguarding Protected Health Information (PHI) in electronic form, such as when transmitting patient information between healthcare practices or exchanging data with a patient’s health plan. HIPAA violations can lead to significant fines and other costs—and some of the most common HIPAA violations include unauthorized access to PHI via successful email attacks.
Email phishing
Cybercriminals frequently target healthcare providers (HCPs) due to the wealth of valuable information they can access. HCPs and other healthcare professionals often fall victim to phishing or malware-containing emails. Email phishing is when cyberattackers send malicious emails to try to trick the recipient into a scam, such as giving out personal information or clicking on infected links to give hackers access to patient data. Phishing attempts to gain the victim’s trust and trick them into providing sensitive data such as login credentials or social security numbers. Email is the preferred attack vector for malicious phishing campaigns. An email phishing attack might even give a cyberattacker access to medical equipment attached to the computer network, such as heart monitors, enabling attackers to power the devices on and off at will.
Malware is another popular type of cyberattack delivered via email. Malware is a malicious computer program that can enter the healthcare system’s network through infected emails that trick the victim into downloading the program or opening an attachment that infects their device. Malware’s effects range from data theft to harming host computers and networks.
Ransomware is a specific type of malware that locks users out of their computers or networks until they pay a ransom to the actor who launched the attack. Only after paying do users regain access to practice data, information, and files—which can be extremely dangerous for hospitals, medical practices, and others that rely on electronic health records (EHRs) for up-to-date information to help with patient care.
Cybercriminals often prey on the weak security of inbound email, so it’s a good idea to take measures to secure inbound emails. Inbound email security is not required to be HIPAA compliant, but it can help prevent data breaches.
Other phishing attacks
Email is not the only avenue that attackers use to subvert HCP security. Your employees may receive a text message claiming to be from a practice administrator or a physician at your practice, asking them to purchase gift cards for use in a promotion. The fraudster will ask the employee to purchase the gift cards with their own funds, promising to reimburse them later and asking them to send the gift card codes to the fraudster, still masquerading as one of their leaders. The fraud is complete: your employee is out the money; the fraudster has stolen the gift cards.
Alternatively, you may receive a message on LinkedIn or social media claiming to be a patient, vendor partner, or government official. The fraudster will invent a sense of urgency. The message may say your response is overdue in a fictitious legal matter or claim a problem with your medical license. The fraudster will use any excuse they can think of to create a momentary lapse of judgment—to convince you to click a link, provide a login credential, or open a file laced with malware.
Human error
Despite all the protective measures your practice can implement, the most significant security risk you face isn’t related to your IT system. It’s related to your employees, who are prone to human error. It only takes one employee to click a link or open an attachment for ransomware to infect your system. Dodging these attacks isn’t easy; cybercriminals and hackers are constantly changing strategies to find new ways to penetrate your defenses.
That’s why staff training is one of the most valuable defensive actions your organization can take. At minimum, security training should include:
- Cybersecurity policies and procedures
- Safe use of electronic devices
- How to recognize and block malicious emails
- Not to click links in emails associated with suspicious websites
- Instructions to immediately report suspicious messages or attachments to the IT team
- Instructions to immediately report any strange phone or computer behavior, such as unusual crashes or unexplained slow operation
Regular training enables you to keep your staff up-to-date on the most recent cyberattack risks and prevention strategies.
Cybersecurity action steps for healthcare practices
These 10 action steps can make it more difficult for hackers and other cybercriminals to penetrate your cybersecurity defenses:
- Ensure your email system includes standard antispam and antivirus filtering controls.
- Keep computer operating systems and antivirus software up-to-date to prevent cybercriminals from exploiting pre-existing vulnerabilities.
- Encrypt all files and systems containing patient information. (Note: Lost or stolen patient data that has been properly encrypted may not be considered a data breach under federal law.)
- Deploy strong user authentication—such as multi-factor authentication—for all cloud-based and off-site systems so only authorized individuals can access sensitive data.
- Perform regular system backups.
- Conduct regular penetration tests to assess your current cybersecurity defenses.
- Make sure your cybersecurity system or systems is easy to use and includes regular employee training to help prevent human error.
- Require regular cybersecurity training for all practice staff, contractors, and others with access to sensitive patient data.
- Develop and test an Incident Response Plan. This is a plan for effectively discovering, containing, and recovering from cyberattacks. No matter how extensive your cybersecurity system or how well-trained your staff, you can’t guarantee someone won’t make a mistake and provide hackers or cybercriminals with access. The Department of Health & Human Services (HHS) provides recommendations for establishing and implementing Incident Response Plans in a recent newsletter from its cybersecurity advisory group.
- Consider purchasing cyber insurance coverage for your practice. HHS has gathered helpful thoughts to help with this decision, discussed in this newsletter.
Protection with Veradigm
If human error is your most significant security risk, what happens when a phishing attempt is successful? At that point, the incident severity is dependent on what other security measures are in place to protect your practice’s—and your patients’—data.
Veradigm has robust security measures in place on all its platforms to protect patient data from unauthorized access and breaches, all HIPAA compliant and certified by the Office of the National Coordinator (ONC) 2015 Cures Update Edition. Certified Veradigm products contain security features to meet applicable requirements under the ONC Certification rule, including authentication and access control, authorization, auditing, and encryption features. However, security features outlined in the ONC Certification Rule serve only as the base for Veradigm security; security measures for many Veradigm products go beyond these base requirements.
For clients using Veradigm hosting services, those solutions are all hosted using the Microsoft Azure platform. Microsoft Azure provides the latest encryption technologies to protect both internal data and data in transit to or from external sources. Azure uses the industry-standard TLS 1.2 or later protocol, with 2,048-bit RSA/SHA256 encryption keys, as recommended by the U.S. National Counterintelligence and Security Center (NCSC) and the UK governments’ National Technical Authority for Information Assurance, to encrypt communications between the customer and the cloud, and internally between the Azure system and data centers. We additionally offer encryption utilities within our EHR to exchange or transmit Protected Health Information (PHI) to third parties.
Just as you protect your practice from physical attacks and infections, take steps to protect against digital attacks and infections. Have up-to-date cybersecurity measures and be prepared with a clear Incident Response Plan. And most importantly, train your staff to recognize and avoid cyberattacks with ongoing training.
To learn more about the additional cybersecurity protection Veradigm can provide your practice, contact us today.