Insights into Cyber Security Risks: The Key to Survival Is Resiliency

Today’s reality is that we are a mobile, always connected society using smartphones, tablets, and wearables to communicate both professionally and personally. The Internet has created expectations for access to information anywhere, anytime, and anyhow. Fifty percent of five-year-olds in the United States have access to a smartphone, and 60% of all humans are texters.(1) In addition to communicating with friends and families, checking sports scores and news feeds, and looking up general information, many of us use the Internet for banking, buying, selling, and other activities that can put our or others’ personal information at risk.

Medical practices are increasingly becoming targets for hackers.

Businesses are at a severe disadvantage because their limited cyber security resources face daily threats. Nowhere is this more the case than in the healthcare field, where physician resources are stretched to the limit. As electronic security breaches become more common in today’s headlines, physicians with electronic health records must take note. Although North Korean hackers may not be as interested in your practice records as they are in Sony’s internal emails, other nefarious hackers are. There is a huge black market for names, Social Security numbers, birthdates, addresses, and other billing information identifiers, all of which can easily be gained from access to patient records. Such breaches are no longer isolated incidents. Medical practices are increasingly becoming targets for hackers who realize that most physicians, although excellent physicians, are terrible at securing their patient data.

Physicians’ reimbursement rates are changing, and their staffs are overworked with keeping up with rules and regulations and the resultant paperwork. However, that does not eliminate their responsibility for complying with protecting their patients’ financial and personal medical data. This article provides resources so that a physician or a member of his or her staff can have easy access to information to eliminate as many breaches as possible. Cyber security professionals often say that it is not if but when your practice will be breached.

Cyber security professionals often say that it is not if but when your practice will be breached.

Criminal cyber attacks against healthcare organizations are up 125% compared with five years ago, replacing lost laptops as the top cause of breaches, and the average consolidated total cost of a data breach was $3.8 million, a 23% increase from 2013.(2) Establishing robust threat information–sharing infrastructure and capability within the healthcare and public health (HPH) sector is crucial to the privacy and security of health information. This, in turn, builds trust in the digital healthcare system envisioned in the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009.

To keep pace, all types of organizations need to share security risk and cyber threat information and respond as soon as possible. To better prevent attacks on health information technology, organizations need better insight into what to expect and how to respond. Timely information on the nature of attacks is critical to that ability. To enable better dissemination of threat information, the U.S. Department of Health and Human Services’ (HHS) Office of the National Coordinator for Health Information Technology and the Assistant Secretary for Preparedness and Response released two Funding Opportunity Announcements to build the capacity of an Information Sharing and Analysis Organization (ISAO) that will:

• Provide cyber security information and education on cyber threats affecting the HPH sector;

• Expand outreach and education activities to ensure that information about cyber security awareness is available to the entire HPH sector;

• Equip stakeholders to take action in response to cyber threat information; and

• Facilitate information sharing widely within the HPH sector, regardless of the size of the organization.

In short, the ISAO will create a more robust cyber information-sharing environment, especially for smaller entities that may not have the resources to access such information on their own, by leveraging existing relationships. Through the resulting streamlined cyber threat information sharing process, HHS will be able to send cyber threat information to a single entity, which will be able to share that information widely to support stakeholders.

However, it is unlikely that the general healthcare community will see any benefit from this funding for some years, because these monies will be awarded to the grant recipients over a five-year period. The first three years will be spent in analyzing information sharing; developing a concept of operations; developing plans based on that concept; expanding communications infrastructure and a tiered membership fee structure; and continuing to develop, implement, evaluate, and refine operational information sharing plans.

It is not until the third year, at the earliest, that the ISAO grantee will begin to serve as the main point of contact for information sharing and lead organization coordinating analysis and response activities.

Having a Cyber Risk Profile

Until ISAO is fully operative, it is up to individual practices to secure their data and patient privacy. So what is a practice to do in the meantime?

The key word is resiliency, because a practice will be able to withstand the inevitable cyber attacks and return to normal operations with minimal business impact only if it has the right controls in place. The first step is to prioritize limited cyber security resources to protect the business assets that create the most value, because most practices don’t have the budget or skilled resources to effectively protect all of their assets all of the time. For medical practices, confidential patient information is the priority. Less vulnerable information, such as vendor addresses, can be lower on the list.

A practice must take preventive actions that require due diligence in technologies such as network segmentation, regular backups, and limited administrative privileges, all of which are necessary to significantly reduce the risk. Then when breaches do occur, the impact can be minimized so that the practice can continue to operate successfully. Practices must change their approaches so that they focus on resiliency. Have a cyber risk team train your staff. Have staff meetings to educate your staff about the risks of sharing passwords and the need for segmentation and regular backups. Have another place off site where you can retrieve your backups. Your core concerns should focus on operational threats (motives and tactics) and cyber security visibility. By reviewing these core risk factors, you can proactively manage your cyber risks.

Cyber risk management is not a static proposition. You cannot just assess your risks, make a few changes, and relax. Independent audits and continuous monitoring are essential to maintenance. Periodic assessments are essential to maintaining compliance. Having the right policies and employee awareness training are also essential to having an effective program. These ensure your cyber security investments are not a waste of time and money.

Having your patients’ medical records hacked may be the most extreme way your practice could face repercussions for breaching patient privacy. However, loss or theft of electronic devices containing files or mismanagement of paper files is a more likely scenario. Not being prepared for such occurrences is far more likely to incur penalties and other actions.

Under HIPAA, physicians are obligated to protect confidential information. HIPAA requires that practices institute internal security controls to effectively prevent breaches from occurring and that they implement notification policies in case of a breach. HHS publishes information on its website about breaches that occur. Reports have found that 23% of these breaches were due to hacking while 68% were due to loss or theft of devices or files.

What is a Data Breach?

New York law defines a data breach as unauthorized acquisition that compromised the security, confidentiality, and/or integrity of patient’s personal information. Protected health information (PHI) is any information maintained by the practice. It is any information concerning the patient that, because of name, number, personal mark, and/or identifier, can be used to identify a patient.

Merely obtaining patients’ signed consent that they have read the HIPAA privacy policies and list the person or persons with whom your practice may share information does not provide adequate protection. The practice must also ensure that the personal, medical, and financial information in the patient’s file cannot be accessed by unauthorized users. Further, HIPAA requires that the practice have written policies in place that outline how PHI is kept confidential and what steps are to be taken in case of a breach. Training records regarding these policies must also be available in case of an audit.

Best Practices for Data Security

• Encrypt sensitive information, especially if it contains data protected by federal (HIPAA) or state laws, and especially if it can leave the practice vulnerable physically or via an unsecure network. Encryption is a safe harbor under most data laws. Your system should be encrypted to the latest standards.

• Conduct a cyber audit. Adopt a written plan now on how your practice will respond to a data breach so that you can expeditiously respond and minimize your damages. This means knowing how to stop the breach, whom to contact for help and when, and how to notify patients, colleagues, your insurers, and the authorities.

• Implement a “bring your own device” policy. Devices that are not dedicated exclusively to this practice should be subject to the “bring your own device” policy, which strictly monitors access to the practice’s network and mandates up-to-date security controls.

• Is your electronic health record (EHR) cloud based or server based? Having a cloud-based EHR has many advantages. However, you could be more susceptible to online hackers through this system. Find out from your vendor how it prevents malware attacks and what you can do to lessen any breaches to your system. If you have a server-based EHR, ensure you have the proper physical safeguards in place, such as encrypting backup files and locking rooms that have access to the server.

• Perform a security risk analysis on your system. Another important step to prevent loss of PHI is to perform a security risk analysis on your system. HIPAA requires that you perform this on an annual basis, and it would serve your practice well to do it more often. The Office of the National Coordinator for Health IT provides a helpful toolkit explaining this analysis.(3) Once you complete your analysis, fix any underlying problems, and implement policies to address them. For example, make sure your employees are not using their personal e-mail accounts to send PHI. They should be sending this information through the EHR’s secure, HIPAA-compliant electronic exchange.

• Train and retrain your staff. Employees must be aware of cyber security issues so that they become barriers to entry by crooks and do not, either intentionally or inadvertently, permit the removal of personal information from the office or via unsecured wireless connections. Base your training on standards of conduct, policies, and procedures. It is recommended that this training be done annually, but as a practice management consultant, I do not limit the training to once a year. I keep it active through staff meetings, e-mails, and the articles that I publish. It is important to document your training with records such as sign-in sheets or e-mail acknowledgments.

• Develop strong disposal polices for paper and electronic files, and equipment. Sanitize USB and hard drives before they are discarded. Photocopier and fax machines can have hard drives that keep scans of document that pass through them, so find out what the copier contractor does with the hard drives after the machine is wheeled out of your office.

• Define the role of the compliance officer. Compliance officers are not figureheads. Although many have other responsibilities, compliance must take up a significant portion of their time and effort. Your policies and procedures must be tailored to your specific practice, with oversight by the compliance officer, and written documentation should be reviewed by your attorney. The staff must understand that your practice has an open door policy and that all complaints will be documented and handled quickly.

• Specific policies must be included in your compliance plan. These include the following:

  • Scope of compliance officer hotlines/communications lines;

  • Investigations of reports and issues;

  • Frequency of training;

  • Training in high-level topics;

  • Documentation methods;

  • Waiver of copayment;

  • Documentation retention;

  • HIPAA privacy and security policies;

  • How breaches are handled by the practice; and

  • Cyber insurance, which is crucial in this era of litigation.

Conclusion

As you complete a security risk analysis or update the one you have, pay particular attention to new threats and vulnerabilities as you add EHR and health information exchange applications.

If you have taken these steps to secure your PHI, but still find yourself in a situation where your data has been hacked, then you must report it. At minimum, you must report the breach to your patients and to HHS at www.hhs.gov/hipaa/for-professionals/breach-notification/ . If the breach affected more than 500 patients, you must also post a note in major print or broadcast media within 60 days.

References

1. Smolan R, Erwitt J. The Human Face of Big Data. Against All Odds Productions; 2012.

2. Ponemon Institute. Criminal attacks are now leading cause of healthcare breaches. May 7, 2015; www2.idexpertscorp.com/ponemon. Accessed September 29, 2016.

3. Security Risk Assessment. HealthIT.gov . https://www.healthit.gov/providers-professionals/security-risk-assessment .

Risk Assessment Resources

Take a look at all of these various risk assessment tools and resources before selecting one to use:

• HIPAA COW tools: The name is amusing, but the resources available on the site of this Wisconsin-based collaborative are very strong. Their Risk Assessment toolkit is available at http://hipaacow.org/resources/hipaa-cow-documents/risk-toolkit/ .

• The federal government’s comprehensive site features a powerful and user-friendly HIPAA Security Risk Assessment Tool, available at www.healthit.gov/providers-professionals/security-risk-assessment-tool .

• In addition to the tool, HealthIT.gov provides a series of informative Security Risk Assessment videos that help you understand important risk assessment topics. They are available at www.healthit.gov/providers-professionals/security-risk-assessment-videos .

• The Office for Civil Rights provides specific guidance for behavioral health services. The HIPAA Privacy Rule and Sharing Information Related to Mental Health can be found at www.hhs.gov/ocr/privacy/hipaa/understanding/special/mhguidance.html