In 2018, there was at least one health care breach every day single, for an overall total of 503. Together, they accounted for nearly 15 million compromised patient records. That’s three times more than the previous year.
If you’ve been paying attention, this shouldn’t come as any great surprise. Health data is staggeringly valuable on the black market, with a single record fetching anywhere from $250 to $1,000. And healthcare organizations continue to present themselves as prime targets for attackers.
For every provider that understands the importance of protecting patient records, there seems to be several that overlook data security. For every provider with a thorough, risk-conscious procurement process, there’s another that deploys barely tested technology in the interest of cost-savings.
Consider, for example, the UK’s National Health Service (NHS).
In 2017 the NHS was brought to its knees by a devastating attack that we later found out could have been prevented with basic IT security. And now, more than a year later, nothing has changed.
Evidently, the NHS does not see the value of investing in cybersecurity.
As an independent physician, you are in a unique position. You can choose the technological path your business takes. You can choose to increase your IT spending. You can align with an IT partner to implement new, innovative hardware and software in a way that doesn’t compromise security or impede usability.
And you should. The Internet of Things represents the future of healthcare, which is a world with more effective care models, better patient outcomes, and more efficient business operations.
Do: Understand Small Businesses Are A Bigger Target
At this point, you might be thinking none of these statistics really apply to you. After all, even though you frequently deal with protected health information, you’re a small, private practice. Why do you need to worry?
Simply put, small businesses consistently account for the majority of data breaches across multiple industries. There is no reason to believe this trend will be any different in healthcare, particularly given how much more valuable health data tends to be. Be cognizant of the fact that you are a target and direct your spending accordingly.
Don’t: Neglect to Secure Your Entire Threat Surface
You’ve installed a firewall. You’re monitoring your network for suspicious activity. You keep the software on your clinic’s computers up to date, and regularly check them for malware.
That’s good, but it’s not enough. What about protecting your clinic’s email portal? What about smartphones and tablets? What about connected endpoints and smart devices? What about the business partners and covered entities your clinic works with?
Most people don’t realize just how large and expansive the threat surface of even a small organization can be. You’ll likely want to invest in email digital loss protection (DLP) software, a mobile device management (MDM) tool, and a secure file sharing and storage solution. That aside, you can also maintain a separate guest network for non-critical devices such as a smart coffee maker.
Do: Promote Awareness Among Clinical Staff
Never underestimate the damage that can be done by ignorance, however well-meaning. A single successful phishing attempt, a single malicious app on a receptionist’s smartphone, a single misplaced character in an email; any of these can result in a data breach. Such breaches, however minor, can have major consequences under the Health Insurance Portability and Accountability Act (HIPAA).
You need to educate your staff on cybersecurity. Maybe you’ve even tried to do so. The problem is that none of them seem willing to listen.
That’s understandable. Cybersecurity isn’t exactly a riveting topic. I’d wager even you find your training program (if you have one) more than a bit boring.
The solution isn’t education. It’s about being present, focused, and conscientious.
The vast majority of successful hacks and data breaches, rather than being the result of a sophisticated attack, usually stem from simple mistakes. By coaching clinical staff and colleagues to be more mindful, you significantly reduce the chance that they’ll make such mistakes. Simply teaching them to step back and question their surroundings every now and then can have a huge positive impact. As noted by Professor Ryan Wright of the University of Virginia, even a brief pause sharpens the instincts and leads to better decision-making.
Don’t: Ignore the Importance of Strong Policies and Processes
Mindfulness training is only part of the equation here. It’s also important that you establish a comprehensive, consistent cybersecurity policy for your clinic. That policy should hit the following beats:
- Acceptable use. What devices are allowed in the workplace? What devices are prohibited? How should clinical staff use smartphones and tablets while on the clock?
- Approved software. What are your clinic’s recommended applications, and why? Are any applications prohibited outright?
- Crisis response and disaster recovery. How should staff respond in the event of a critical infrastructure failure? A data breach? What systems are in place for backup and restoration? Your clinic should have a clear plan for facing every threat it’s likely to encounter, and a generalized plan for when it encounters the unexpected.
- Update cycles. How and when are software updates and patches applied once they’ve been made available? Ideally, you’ll want to set a time each day for software maintenance.
- Data storage. Where is your clinic’s data stored, who has access to it, and how is that access regulated or controlled? How is this data backed up, and where? Who has access to the backups?
- Device onboarding. When installing new technology such as medical devices, what is your due diligence process? How do you determine if these devices meet your security standards?
- General HIPAA compliance. Basically what’s written on the tin. How do you evaluate and ensure compliance with HIPAA in your clinic
Do: Collaborate With Other Medical Professionals
If you’re part of an accountable care organization (ACO) or similar group, don’t hesitate to discuss IT security measures with your peers. Each and every one of you face a similar threat landscape. By working together and sharing information about security tactics and best practices, you’ll be better equipped to tackle the security challenges of the modern health industry than if you each worked in isolation, and you’ll be able to do so in a much more cost-effective fashion.
I am not expressing some radical, revolutionary idea here. The notion that collaboration is necessary to secure the health sector is one that has gained considerable traction in recent months. It is one that is agreed upon by many leaders in the U.S. health industry.
Don’t: Forget to Regularly Review Your Security Systems and Processes
One thing I see many businesses forget is that cybersecurity is not the result of any singular project or initiative. Rather, it is an ongoing journey. If you are not regularly reviewing your clinic’s approach to security, you are not doing enough.
This does not need to be a particularly massive undertaking, nor does it demand significant expenditure. Simply take a bit of time every month or two to talk, brainstorm, and analyze.
Do: Leave Room for Innovation and Growth
There’s a toxic notion bandied about in many circles that cybersecurity and innovation cannot go hand-in-hand. That if you want to foster growth and evolution within any business, you need to accept some level of risk. This is not correct.
It’s certainly true that a business cannot grow if it is overly risk-averse. But being cognizant of cyber threats and having a security framework does not automatically mean you cannot evaluate new technology. So long as you practice due diligence when it comes to adopting new devices and software, you’ll be fine.
Don’t: Ignore the Basics
Last but certainly not least, foundational cybersecurity is just as critical as anything else on this list. Network monitoring tools, a decent firewall, malware scanning, and regular software updates are all a must. Beyond that, there are a few other things you should do, as well.
- Maintain comprehensive backups, and keep them separate from your existing systems.
- Ensure that critical infrastructure can be easily air-gapped and isolated in the event of a ransomware infection.
- For critical systems, ensure there’s always a failover option.
IT is Non-Negotiable
Whether you’re a small practice or partnered with a larger healthcare network, your IT budget is not something you can afford to ignore. Not only does digital transformation present a massive opportunity for clinics and hospitals, cybersecurity also grows more critical with each passing day. You don’t need to break the bank on it, but it does need to factor into your budget.
Because at the end of the day, the health industry will continue to be a target, whether you want it to be or not.
About the Author: Tim Mullahy is the Executive Vice President and Managing Director at Liberty Center One, a new breed of data center located in Royal Oak, MI. Tim has a demonstrated history of working in the information technology and services industry.