In Brief: Cyberattacks are inevitable, and ambulatory providers face particular challenges in defending their patients’ health information. Here’s how to prepare.
Healthcare in 2016 had its share of memorable moments and big stories. One story that many people would like to forget concerned data breaches. Millions of patients had their health information compromised in a series of highly publicized cyberattacks targeting hospitals, health systems, and payers.
But forgetting isn’t an option. Cybercrime is a grim reality facing healthcare organizations, and 2017 is sure to bring a new round of devastating attacks. And while large entities such as hospitals and insurers are enticing targets for hackers, ambulatory providers are also highly vulnerable. Most outpatient centers lack the dedicated IT personnel common to a larger healthcare organization, thereby limiting their ability to plan for, detect, and respond to a cyberattack.
That doesn’t mean ambulatory organizations can’t shore up their defenses. As 2017 begins, here are five new year’s resolutions ambulatory providers can adopt to safeguard patient privacy and improve cybersecurity.
1. Improve passwords.
Developing strong password policies can reduce the risk of a breach. The longer and more complex a password, the more difficult it is to penetrate. Generally, passwords should be longer than six characters and include a combination of letters, numbers, and symbols. Users should also avoid creating passwords with common words, names of relatives or pets, and nicknames.
2. Grant access to data on a need-to-know basis.
Cybercriminals target patient health information (PHI) because of its value on the black market—from filing fraudulent insurance claims to using patient or insurer data to open bank accounts and take out loans. Between losing patient trust and incurring massive fines, the consequences of failing to protect privacy cannot be overstated. The fewer individuals who have access to PHI, the better.
- Limit your employees’ access to the patient data that is necessary for them to do their job.
- Minimize third-party vendors’ access to data.
- Monitor access logs for suspicious activities, such as one individual accessing an unusual number of records or records not related to their job responsibilities.
3. Encrypt all computers, mobile devices, and removable media.
Loss of mobile devices and media is among the top causes of data breach. Fully encrypting any data stored on a computer, mobile device, or removable media can mitigate the risk of breach if the device is lost or stolen.
HIPAA does not require that these devices be encrypted, but ambulatory organizations should make encryption mandatory—especially for portable devices, and even for desktop computers. Encryption encodes the data on the drive or device, which prevents anyone without the decryption key from accessing the data.
The major operating systems—Mac OS X and Microsoft Windows—both offer built-in encryption capabilities. Mobile devices such as iPhones and many Android phones offer encryption with automatic erasure if the device password is not entered properly after multiple retries.
4. Educate employees on cybersecurity risks.
Providers and staff are leading contributors to cybersecurity incidents—whether intentionally or through error. Educating your personnel on common cybersecurity risks can help make them a key source of strength in avoiding a cyber event.
Some examples of what to educate staff on include:
- How to be aware of suspicious emails.
- The need to keep usernames and passwords secret.
- The importance of reporting suspicious activity to the appropriate individuals.
Treating any cybersecurity event as a teaching opportunity can help your staff understand not only what happened but how to prevent a similar occurrence in the future.
5. Develop a plan of action in the event of a cyberattack.
Cybersecurity threats continue to evolve, especially as malicious actors adopt more sophisticated methods. The reality is that a cyber incident at any healthcare organization is almost inevitable.
One way to minimize the degree of harm is to develop a plan of action in the event of a breach. This will help your ambulatory organization to regain control; appropriately mobilize staff, legal advisors, and security vendors; and minimize or mitigate the damage.
- Designate responsible parties and present them with an incident response plan that details their roles and responsibilities.
- Establish clear protocols for dealing with a breach; review the policy at least annually to ensure it’s still relevant.
- Create a plan for communicating with patients in the event their data is compromised.
Fortifying the Outpatient Setting
In an environment of evolving regulations, increased consolidation, and greater emphasis on value, care delivery continues to shift to outpatient settings. That means more patient data is flowing through ambulatory organizations, making them attractive targets for cybercriminals. Ambulatory providers might not be able to completely avoid a breach, but by taking the actions outlined above, they can prepare themselves and minimize the damage from a cyberattack.
Published January 17, 2017