Medical practices and other healthcare providers have become a popular target for hackers, phishing scams, and ransomware attacks. These malicious assaults add to the security risk threats imposed by inadvertent and inappropriate disclosures of PHI by practice staff or physicians. Medical practices have always exercised care to protect the privacy of their patients but in the new electronic age, that protection is far more difficult than locking the office suite doors at night. The dangers can now come from the other side of the world and the costs of a mistake can be financially lethal. How did we get here, and what can you do to protect yourself?
Medical record information has always been more valuable to criminals than the value of credit card information, because it contains social security numbers, home addresses and other identifying information. Since credit card companies now send emails to the card holder at the instant of a charge, there is much less utility available to the holder of stolen credit card data, and a resulting greater value to Personal Health Information obtained from a healthcare provider. This utility value of stolen information is augmented by the fact that hospitals and care givers must regain patient information, or risk a failure in provision of patient care. Thus, ransomware hackers find their first “return on investment” from the ransom which will be paid to recover the use of the medical data seized by a hack event. When the ransom fee, together with identity theft value, is found in “soft targets” like small medical practices, it is little wonder that CMS estimates that thousands of medical practices are being hacked each day.
The mistake of many physicians is to presume the sufficiency of their computer defenses on the basis of the system’s daily functionality. Just because it worked this morning when you began clinic, does not mean it is secure. And even though your group may have qualified for Meaningful Use by performing the requisite Security Risk Assessment, you may still not be safe from a hacking effort. The periodic presence in your office of a guy who does computer support from his basement, may also afford you a sense of security which is false. So how do you gain legitimate comfort in this regard?
First, explore the possibility of cybercrime insurance coverage. It is still relatively inexpensive and is offered by most med mal insurance carriers as well as property and casualty insurers. Next, get on the cloud and away from in house servers to add some security from problems which arrive via the internet. Train and retrain your staff on privacy and data security behavior for which they are responsible. E-mail test your team as a “spoof” using the latest ransomware attempts and review the management report of which employees click and would have created potential vulnerability if the attempt had been malicious. Have a fresh set of eyes review your present IT provider for areas overlooked. Arrange a secure offsite bunker and contract to back up your data to that storage location. Install systems to render your patient data unusable at the instant it is inappropriately seized. This last step may enable you to handle a ransomware event without a presumption that a HIPAA breach has occurred.
The threats are increasing, your data is growing in value and the historical bases for comfort are no longer valid. A security failure is a potentially huge cost in dollars and reputation. Secure the help to secure your records and your practice future.