October was National Cybersecurity Awareness Month, and government agencies and private cybersecurity companies alike offered tips to stay secure online. Cybersecurity awareness is particularly necessary in 2020: Ransomware attacks against health care providers and entities that support them have continued in full force after a 350% increase in the fourth quarter of 2019. Even the U.S. Department of Health and Human Services suffered a cyberattack in March. COVID has not slowed hackers and other cybercriminals. eResearch Technology, a company that sells software used in clinical trials – including trials for a vaccine for the coronavirus – suffered a ransomware attack in mid-September. Universal Health Services, a health care network with more than 400 facilities across the United States and United Kingdom, suffered a ransomware attack that completely shut down all computer systems in its facilities in late September. Because health care providers are being specifically targeted, and because many providers have physicians and staff working remotely (at least part-time), sound cybersecurity practices are essential now more than ever. Adhering to strong cybersecurity policies and procedures protects both your practice and your patients.
A good cybersecurity review starts with the basics: a risk assessment of your entire information technology (IT) system. On HealthIT.gov, the Office of Civil Rights (OCR), which enforces HIPAA, offers a free, downloadable security risk assessment (SRA) tool that was recently updated, as well as other resources for providers. The SRA tool leads users through a list of questions about security practices and electronic Protected Health Information and how it is created, used and stored. The results of the risk assessment point you to your practice’s security weaknesses and a list of issues to be addressed. Perhaps you have a Microsoft Windows 2008 server that is no longer supported with security updates and, therefore, needs to be replaced. Perhaps your firewalls or malware/security software are lacking, or the security of your Wi-Fi connection is insufficient (do you require a password to use Wi-Fi or is it open for patient use?).
Because hardware/software deficiencies can make an entity vulnerable to cyberattacks, being proactive with system updates and patches is a necessity. However, the weakest links are, predictably, human – especially humans who are overly stressed and tired due to the many challenges of the pandemic. To combat this substantial vulnerability, strong policies and procedures, as well as thorough and repeated training are necessary.
Particularly with respect to remote work, employers need to compel employees to use strong passwords and train employees how to protect passwords by not sharing personal information online such as street address, birthday, phone number, favorite TV show/movie, pet names, etc. Any information shared online should, obviously, not be used in passwords. Requiring two-factor authentication will help mitigate, but not eliminate, the risks from employees’ failure to follow good password hygiene. Two-factor authentication also helps to mitigate the potential for unauthorized access if the employee falls for a phishing attack and compromises their login credentials.
Additional risks posed by remote working is the security of Wi-Fi connections in the home, the potential for personal computers (if used) to be infected with malware or not have appropriate security protection, and shared use with other persons, especially children or teens. Combating these risks are straightforward in concept, but perhaps more difficult in execution. First, establish a virtual private network (VPN) as the only way for employees to access your IT systems. A VPN is a private network that uses encryption and other security measures to allow users to operate online without compromising data. Second, issue company computers with appropriate security software and use parameters (for example, only the practice security officer can download software) if resources allow. All laptops should be encrypted. If issuing company laptops is not possible, require the use of malware/digital security software that your security officer approves. Third, prohibit the sharing of company computers with non-authorized users. In all cases, but especially if your employee is using a shared family computer, ensure that they understand that it is absolutely forbidden for them to allow their log-in information to be saved onto the computer. Your practice portal is not Facebook.
Whether you are a practice owner or an employed physician, cybersecurity must remain on your radar. Breaches can be expensive, both dollar-wise and in the cost to the reputation of and trust in your practice. More importantly, ransomware can be catastrophic on an operational level, requiring a return to pen and paper until data can be restored. Lack of access to the patient’s medical record poses significant risk of adverse outcomes in patient care. If the ransomware attack also captures your backup data, restoration of data will be delayed further, causing increased risk to patients and the practice.
In the end, cybersecurity is not just a regulatory compliance issue. It is a patient safety issue. As John Riggi, senior advisor for Cybersecurity and Risk at the American Hospital Association, wrote:
Ransomware attacks on hospitals are not white-collar crimes, they are threat-to-life crimes because they directly threaten a hospital’s ability to provide patient care, which puts patient safety at risk. That development was reinforced during the early days of the COVID-19 outbreak, when phishing emails and other cyber attacks on hospitals increased because cyber criminals treated the pandemic as an opportunity to exploit, victimize and profit.1
Patient safety risk also is a very real concern for physician practices and other health care providers. Accordingly, it is incumbent of every person involved in health care to follow policies and procedures to ensure the safety of electronic Protected Health Information. Your patients’ lives depend on it.
DICLAIMER: This article is for information purposes only and does not constitute legal advice. You should contact your attorney to obtain advice with respect to your specific issue or problem.