Health care continues to be the most targeted sector for cyberattacks due to the availability of valuable patient information, the financial soundness and resource capacity of the industry, and network vulnerability (see resources at the end of this article). Between 2009 and 2020, 3,139 data breaches were reported to the U.S. Department of Health and Human Services, with the volume trending upward each year. Of the multiple cybersecurity threats associated with health care, ransomware attacks and employee-related breaches are the most common confronting physician practices. According to the AMA, physicians are most concerned about threats resulting in the theft of their patients’ health, personal, and financial information.
In addition to the financial implications that may arise from the increase of health care–related cyberthreats, health care providers are also exposed to potential litigation associated with breaches of confidentiality. The alarming frequency and severity of these attacks speak to the urgency of implementing more robust cybersecurity practices within the industry. In fact, the health care and public health industry is forecasted to spend $18 billion on cybersecurity in 2021 alone.
Health care professionals handle patients’ health, personal, and financial information daily. With the detrimental effects of cybercrime extending beyond the walls of confidentiality and associated liability, cybersecurity must be a priority.
The following are some risk management considerations to help enhance your practice’s cybersecurity protection:
Implement Cyberattack Safeguards
•
Internet connection
◦
Install and/or enable all firewall settings available in the operating system you utilize to create a barrier between the internal network and the internet.
◦
Protect internet routers with strong passwords designed to prevent unauthorized access, potential control of the device, and the recording of internet communications.
◦
Apply network segmentation to segregate network traffic (example: separate networks for online communications and record keeping of confidential information).
◦
Use a virtual private network (VPN) for remote access of information.
◦
Use routers to facilitate separation of the patient’s Wi-Fi network from the practice network.
◦
Default computer settings to automatically download patches and system updates.
◦
Use platforms for telemedicine that comply with the Health Insurance Portability and Accountability Act.
◦
Destroy all data stored in the hard drives of leased equipment before returning it to the vendor.
•
Backup practice data regularly to avoid paying a ransom fee in the event of a cyberattack.
Establish Policies and Procedures for Workplace Cybersecurity
•
Require strong passwords (using a combination of different letters, numbers, and special characters).
•
Change passwords at least quarterly.
•
Encrypt all mobile devices, including email.
•
Use multifactor authentication to verify user’s login identity.
•
Incorporate cybersecurity training, such as identifying phishing attacks, as part of your practice orientation and ongoing competency.
•
Restrict employees’ ability to install software applications on devices belonging to the practice.
•
Develop and test a cyber-incident response plan.
Cybersecurity threats are here to stay, but simple measures can help protect your practice and reduce your risk. ■
This information is provided as a risk management resource for Allied World policyholders and should not be construed as legal or clinical advice. This material may not be reproduced or distributed without the express, written permission of Allied World Assurance Company Holdings Ltd, a Fairfax company (“Allied World”). Risk management services are provided by or arranged through AWAC Services Company, a member company of Allied World. © 2021 Allied World Assurance Company Holdings, Ltd. All Rights Reserved.
“The Next Year of Healthcare Cybersecurity” is posted
here.
“Top Two Cybersecurity Threats Facing Physician Practices” is posted
here.
“Physician Cybersecurity” by the AMA is posted
here.