Health care continues to be the most targeted sector for cyberattacks due to the availability of valuable patient information, the financial soundness and resource capacity of the industry, and network vulnerability. From 2009 to 2021, the Health and Human Services’ Office for Civil Rights was notified of 4,419 health care data breaches, which resulted in the unauthorized disclosure of over 300 million health care records.
Of the multiple cybersecurity threats associated with health care, ransomware attacks and employee-related breaches are the most common confronting physician practices. According to the AMA, physicians are most concerned about threats resulting in the theft of their patients’ health, personal, and financial information.
In addition to the financial implications that may arise from the increase of health care–related cyberthreats, health care professionals are also exposed to potential litigation associated with breaches of confidentiality. The alarming frequency in data breaches speaks to the urgency of implementing more robust cybersecurity practices within your practice or business.
Health care professionals handle patients’ health, personal, and financial information daily. One of the most common causes of data breaches, but often not given the same degree of caution, is insider threats. Data breach of this nature typically occurs when an individual or individuals who have been given permission to access the practice’s data use these data for ill-intentioned purposes. With the detrimental effects of data breaches extending beyond the walls of confidentiality and associated liability, cybersecurity must be a priority.
There are a number of risk management considerations that can help enhance your practice’s cybersecurity.
Establish policies and procedures pertaining to information security and data privacy in the workplace:
•
Assess if cyber-liability coverage is a part of your professional liability coverage.
•
Require strong passwords (using a combination of different alphanumeric and special characters).
•
Change passwords at least quarterly.
•
Encrypt all mobile devices and communication, including email.
•
Use multifactor authentication to verify user’s login identity.
•
Incorporate cybersecurity training, such as identifying phishing attacks, as part of your practice orientation and ongoing competency.
•
Restrict employees’ ability to install software applications on devices belonging to the practice.
•
Be familiar with whom you are engaging. Monitor any signs that are indicative of an irregular activity and address it immediately.
•
Develop and test a cyber-incident response plan.
Implement safeguards to protect the practice network from cyberattacks:
•
Install and/or enable all firewall settings available in the operating system you utilize to create a barrier between the internal network and the internet.
•
Protect internet routers with strong passwords designed to prevent unauthorized access, potential control of the device, and the recording of internet communications.
•
Apply network segmentation to segregate network traffic (example: separate networks for online communications and record keeping of confidential information).
•
Use a virtual private network (VPN) for remote access of information.
•
Use routers to facilitate separation of patient’s Wi-Fi network from the practice’s network.
•
Default computer settings to automatically download patches and system updates.
•
Use HIPAA-compliant platforms for telemedicine.
•
Destroy all data stored on the hard drives of leased equipment before returning it to the vendor.
•
Back up practice data regularly to avoid paying a ransom fee in the event of a cyberattack.
Cybersecurity threats are here to stay, but simple measures can help protect your practice and reduce your risk. ■
This information is provided as a risk management resource for Allied World policyholders and should not be construed as legal or clinical advice. This material may not be reproduced or distributed without the express, written permission of Allied World Assurance Company Holdings, Ltd, a Fairfax company (“Allied World”). Risk management services are provided by or arranged through AWAC Services Company, a member company of Allied World. © 2023 Allied World Assurance Company Holdings, Ltd. All Rights Reserved.