Protect your medical practice from hackers

Protect your medical practice from hackers

Medical practices routinely protect people against viruses and other illnesses. But often, hackers unleash digital viruses and devise other threats to harm healthcare organizations and their patients.

Because electronic medical records (EMR) include so much valuable information, crooks deliberately target private practices, clinics and healthcare systems of all sizes. By stealing the data, hackers can glean financial information from patients, including credit card and bank account numbers, social security numbers, names of family members, addresses and sensitive information about health conditions.

Information from hacked health records may sell up to 10 or more times the value of stolen credit card numbers. Cybersecurity firm Trustwave valued black-market value of medical records at $250 (PDF) each, while credit card numbers sell for about $5 each on the dark web.

According to the Department of Health and Human Services, cybersecurity threats in healthcare generally stem from:
 

• Malware – Malicious software with viruses or hazardous code designed to disrupt, damage or gain unauthorized access to a computer system.
• Phishing attacks – Untargeted, mass emails sent to many people asking for sensitive information or encouraging them to visit a fake website.
• Ransomware ­– A cyberattack blocking the use of data and systems until you pay a ransom.

How common are cybersecurity breaches?
 

According to the U.S. government’s Administration for Strategic Preparedness and Response (ASPR):

• Four of five physicians in the U.S. have experienced some form of cyberattack
• 5,150 healthcare data breaches of 500 or more records occurred in the last 13 years
• 382,262,109 healthcare records were exposed in those breaches
• In 2022, 700 breaches of 500 or more records occurred in healthcare organizations

While 700 isn’t astronomical, statistics and odds go out the window if hackers hit your practice or healthcare system. You have a responsibility not only to treat your patients but also to protect their sensitive data and health records. In fact, you should consider cybersecurity an extension of patient safety, especially because hackers can also access software that controls medical devices, such as pacemakers or infusion pumps.

Invest in a cybersecurity insurance policy

Your business plan and budget should include cybersecurity insurance, which can cover your liability for a data breach involving sensitive patient information. Online fraud can cost your practice in fines, audits, ligation, business and reputation. Hackers can also demand significant ransomware fees.

The cost of recovery after a breach in healthcare data is almost three times that of other industries — averaging $408 per stolen healthcare record versus $148 per stolen non-health info.

Cybersecurity insurance typically helps to:

• Notify customers about a data breach
• Provide legal services against privacy lawsuits
• Recover lost business revenue due to a breach
• Recover compromised data
• Repair damaged computer systems
• Restore the personal identities of affected customers

According to a study by AdvisorSmith, which gathered quote estimates and rate filings from more than 43 insurance companies nationwide, cybersecurity insurance premiums range from $650 to $2,357 per month, for companies with moderate risks.

Guarding your patients’ records not only prevents harmful consequences for them. It also saves your practice time, stress, financial penalties and your reputation.

Outsource your IT needs

You specialize in healthcare, not information technology (IT), so your best bet as a small practice is outsourcing your IT needs. An internet search for healthcare cybersecurity IT services will yield many results to get you started. Use this guide from the U.S. Department of Health and Human Services to help you determine your IT needs.

Create an incident response plan

Your IT partner can help you develop an incident response plan to outline steps to take if an online breach occurs. If you don’t hire an IT consultant, set up your own incident response plan so your office is prepared.

Employees who rarely encounter cyberattacks may not remember what to do when they happen, and neither may management, so having a plan will keep everyone on the same page.

Designate someone in your organization to oversee IT security issues as part of this plan. Even if you have an IT consultant, a trustworthy person on your staff can act as their liaison. Prioritize the role so your liaison has sufficient authority, status and independence to be effective.

Also important: Limit access to software programs to only those who need to use them. This security measure will shrink your exposure to possible breaches.

Revisit security basics

While tech terms can make most of us tune out, employees can review your incident response plan and grasp the security basics. Assuring your offices take these basic tech protections can help ward off bad actors in the cyber world.

Your incident response plan should include security precautions such as:

• Encourage multifactor authentication and strong passwords – These extra security measures set up more roadblocks for hackers.
• Install antivirus software – Attackers primarily compromise computers in small offices through viruses and similar code that exploit vulnerabilities.
• Leverage firewalls – These network security devices monitor incoming and outgoing network traffic. They permit or block access to data based on a set of security rules.
• Sanitize computers and other devices – Erase stored data before you donate or trash out-of-date computers.
• Use caution when installing software – Is it essential? Don’t accept default settings without making sure. Also, make regular, recommended updates.

Having a well-prepared, thorough cybersecurity plan should be an essential part of your business plan to protect your patients and the organization you’ve worked so diligently to build.