Duke Health Referring Physicians


Cybersecurity for Physician Practices

Health care data can contain social security numbers and other data that may attract hackers who want to misuse that information or sell it. Although small practices may have only a few thousand patient records, hackers may target them to gain entry into larger health care systems and the millions of patient records stored there. Alternatively, smaller practices might get swept up in an attack on a larger entity.

In the May 2017 “WannaCry” attack on the UK National Health Service, smaller clinics with older computers running outdated software were hit particularly hard. One month later, physician offices affiliated with the Heritage Valley Health System outside Pittsburg, PA, were hobbled by the Petya malware virus.

A 2016 study from the Ponemon Institute showed that nearly 90% of health care organizations have experienced a data breach, and in June 2017 a report from the Health Care Cybersecurity Task Force commissioned by Congress declared that health care cybersecurity in the United States is in “critical condition.”

These findings have vast implications for the privacy of personal health information (protected by the Health Insurance Portability and Accountability Act of 1996, or HIPAA) and for the security of financial data for patients and practices. They also have legal and financial implications for practices that can be fined for HIPAA violations and sued by patients and other health care organizations for privacy infractions. The estimated cost of a health care data breach is more than $350 per record—or $700,000 for a practice with 2,000 patients.

Keeping up with cybersecurity safeguards and regulations can be complicated for well-resourced health systems. It can be even more challenging for independent practices with no central information technology (IT) department.

One important initial step is to conduct a risk assessment—required by HIPAA—to identify weaknesses in policies, procedures, and technology, including electronic health record (EHR) systems. The US Department of Health and Human Services (HHS) offers some tools for practices to undertake this on their own, but it’s still a complex task. “For many physician practices and even smaller hospitals, bringing in outside expertise is almost a given,” says Chuck Kesler, chief information security officer for Duke Health.

Although cybersecurity and malware threats are constantly changing, Kesler says practices can take a few simple steps to reduce their risk.

Reduce Phishing Risks. One of the easiest ways to gain entry to sensitive data is by exploiting social skills or relationships, a tactic called social engineering. The most common example is phishing, in which hackers use an email that appears to be from a trusted person or institution (eg, colleague, bank, IT department) to extract information or gain entry to the system. Some of these are easy to spot, but some are not. Phishing can also occur via text message or phone calls.

Most hospitals and health systems have system-wide email filters that help sift out phishing messages, but independent practices will need to set up some safeguards on their own. Still, Kesler warns, even the best email filtering system can’t catch everything, so make sure staff are aware of common tactics. Be suspicious of attachments and web links, even if they’re from someone you know. Poor grammar, misspelled words, or calls for urgent action are other earmarks of phishing.

Update Early and Often. The best way to protect devices is by running security patches as soon as they become available. IT departments may take care of this process for hospital- or health system–
owned practices, but standalone practices need to do this on their own. Unfortunately, many smaller practices continue to run out-of-date software on older computers because of the cost and inconvenience associated with upgrading systems. Kesler says many of the ransomware attacks on health care systems could have been avoided by keeping patches current.

Use Encryption on All Devices. All sensitive data should be encrypted to make unauthorized access more difficult. This is especially important as devices get smaller, more portable, and easier to steal or lose. Most new laptops come with encryption capabilities built in, but older computers may require third-party software.

Choose Smart Passwords. Long passwords—such as 20 characters composed of 4 or more words (with a few scrambled letters, numbers, and special characters)—are more secure than short ones, Kesler says. Even better are password management systems, such as LastPass. These services generate random passwords, store them in the cloud, and automatically populate the password at login. Although even these services could be hacked, Kesler says it’s much safer than keeping a file of passwords on your computer. It’s also safer than using the same password for various websites. He points out that more than 1 billion passwords were stolen in the 2013 data breach at Yahoo, giving hackers insight into the favorite passwords of 1 billion customers—likely including someone in your practice.

Use Multifactorial Identification (also known as 2-factor or 2-step authentication—which are separate processes). This approach is gaining favor at banks, health care organizations, and companies that store sensitive information. After entering their password, users enter a code they receive on their smartphone or special key fob. Even if hackers get your password, they won’t be able to log in without that second piece of information.

Raise Awareness. Keeping staff informed about common scams can help. The HHS, American Medical Association, state medical societies, and even some hospitals provide training materials and workshops for staff in physician practices.

Despite these preventive measures, practice staff still need to be prepared to respond in case an issue arises. Having cyber liability insurance (often included in practice insurance) is essential. In fact, some health care systems require affiliated practices to show a certificate of insurance before providing access to their EHRs.