Doctors Must Improve Cybersecurity
If you’re a physician in private practice, computer security is a critical operation. Since all your patient records are by definition sensitive, personally identifiable information (PII), a data breach or compromise can potentially be very damaging to your patients – and send your practice on a fast track to bankruptcy.
We recently learned that 500 million Yahoo accounts have recently been compromised – likely by a state-sponsored hacker. According to research by Javelin Strategy & Research, cyber-crime costs American consumers some $15 billion annually, and the annual cost to the global economy from cyber-crime now tops $375 billion or more.
And criminals are increasingly placing their cross-hairs squarely on health care providers.
Cyber-criminals have moved on from increasingly alert banks and retailers, and moving on to softer targets who are less vigilant about monitoring data for breaches. They’re now concentrating n health care. According to the Security Intelligence blog, even as retail and banking industry breaches had been plummeting, between 2014 and 2015 there was a 1,166 percent increase in the number of health care records compromised: 100 million of them in 2015 alone.
These records are valuable on the black market: Criminals pay about $1 each for a stolen credit card number. But health care records go for as much as $50 on the black market, and criminals use the data they find to steal entire identities. They then use the data to commit insurance fraud, collect fraudulent tax returns, create identities and sell them to illegal immigrants, and the list goes on.
So what can a physician do? Here are some of our ideas:
- Take charge. It’s your practice. It’s your name on the door. Take a personal interest in seeing that your staff is aggressive and diligent in protecting sensitive data and practicing good data hygiene.
- Invest in training for your staff. Standard off-the-shelf HIPAA training modules aren’t enough. Today’s modern systems require specialized training and knowledge.
- Keep patient data digitally and physically segregated from other office functions.
- Don’t leave computers logged on to the Admin network account when you aren’t actively engaging in processes that need an admin function.
- Use strong passwords and insist that your staff do the same. Require special characters, numbers, backwards spelling, and anything else that can confound a hacker. A random series of characters from a password generator is good – two-factor security is best.
- Update your operating system and any applications. Set your computers and apps to check for updates every week.
- Put a sharp staffer in charge of your security strategy, send him or her to some specialized training and report back to you and your practice manager with specific recommendations. Bring in a consultant for an outside look and some additional expertise. Your staffer will benefit strongly from the experience, so will you, and so will your patients.
- Encrypt all digital patient information – even at rest and within the EHR.
- Grant access to patient data only to those who need it to do their jobs.
- Keep servers with sensitive information under lock and key. About 18 percent of health care cyber breaches were physical breaches, according to research from IBM. That makes them the second most prevalent attack type in the health care industry – and indicates that insiders, including your own staff – must be considered a threat. You must safeguard data against your own employees.
- Back up data regularly. Health care businesses have been targeted by ‘ransomware’ that locks up your computer system. Then criminals contact your organization and demand that you pay hundreds or thousands of dollars before they send you the decryption key. If your data is backed up properly, you can simply ignore them, or wipe your system and restore.
- Change passwords and access codes whenever an employee or partner leaves the company.
- Have a plan in place to address known or suspected breaches, and be prepared to execute it quickly. This is part of your Incident Response Plan (IRP) and is an important part of your HIPAA compliance effort.
- Consider cyber risk insurance. This is a specialized form of business insurance that provides financial protection against liability and damages arising from data breaches. These costs can include legal fees, fines and enforcement penalties, court costs, damages sought by patients and employees whose data was compromised, and the cost of mitigation, including providing credit screening services for those affected for a year or two. In some cases, the policy may cover business interruption as well.
For more information and resources specific to cybersecurity and the health care industry, see this report from IBM Security, as well as the federal resource HealthIT.gov.
DoctorDisability.com is a full-service insurance agency specializing in the financial and protection concerns of physicians, dentists and their families. Founded by Chuck Krugh, CFP, ChLU, CFC, DoctorDisability.com has been providing physicians and dentists with personal insurance and financial protection information for over a decade.
Doctor Disability Insurance, Inc. is an innovative, one-stop service that makes disability insurance shopping quick, affordable, and easy to understand. Physicians save time and money by comparing plans and prices from multiple insurance companies. The site provides free quotes from leading names in the disability insurance industry along with friendly and knowledgeable customer support. The best values in the insurance industry are located in one place and are available any time doctors are ready, including late at night and on weekends.
Call us toll free at 866-899-7318 to speak to one of our disability insurance professionals. Or simply log on to www.doctordisability.com to receive a no-obligation disability insurance quote.