Cyber Security For Medical Practices and Data Privacy Compliance

Summary: Securing patient private data on the small medical practice computer network is critical for patient privacy compliance. Robust network cybersecurity also protects practice employee private data, business productivity and company assets.

For cybercriminals, private medical data is a crown jewel. A successful cyberattack can provide a bad actor with many personal details about patients, enough to steal their identity. Names, addresses, phone numbers, Social Security numbers, Driver’s License numbers and emergency contacts are some primary data points that can lead to identity theft. The breached data is a valuable commodity that is often resold multiple times on the dark web. Practice employee data is also stolen during a cyberattack, usually containing medical data in addition to payroll, licensing, tax and banking information.

Medical Cybersecurity Considerations in Computer Networks

Medical facilities and medical practices rely on computer networks for daily healthcare functions. Smart medical devices that provide patient care and environmental controls are also linked to the medical provider’s network. Security cameras, smart thermostats and lighting are network-connected devices. A data breach could derail patient care. Imagine unavailable patient records, infusion pumps malfunctioning, monitors resetting, or pharmacy orders derailed.

The vast list of connected medical devices now used in medical practices has increased the attack surface and created more vulnerabilities through which hackers can breach medical networks. Each smart device is a vulnerable endpoint that must be secured. One unprotected device connected to your network is all hackers need to breach it. Device protection can include the following types of medical devices and platforms:

• Practice Management Systems – The systems that store and use most patient private healthcare data need state-of-the-art medical cybersecurity. The Health Insurance Portability and Accountability Act, or HIPAA, is a federal law that protects patients' health information and establishes standards for the electronic exchange of health information. Failure to comply with these regulations can lead to data breaches, identity theft, fines, lawsuits and other crippling after-costs. Patient healthcare data security on practice management systems cannot be overlooked. The ongoing consequences of inadequate healthcare cyber security could put a small medical practice out of business.
• Prescription Systems – The prescribing systems used to dispense and manage patient prescriptions hold valuable data. For patients, this is very private data. Prescription medication information also requires protection from data breaches. Cybercriminals now attempt to extort ransom payments from both practices and patients.
• Radiology Information – Radiology systems store images and data. Images and radiology test results are private patient data that must secured.
• Clinical Decision Information Management – Through clinical decision systems, medical professionals can access and share patient information to help them provide the proper diagnoses and care. As with all patient information, it requires protection.
• The Internet of Medical Things (IoMT) – IoMT devices include all the patient monitoring equipment, infusion pumps and remote patient data collection devices that transmit data directly to the monitoring physicians.
• Internet of Things (IoT) – Smart devices of all types are potential endpoints through which your medical practice’s network may be breached. Smart screens, wireless speakers and cameras are all devices where patient data may be stored or accessed. Include them in your cyber security plan.
• Operational and Environmental Systems – Systems such as elevator controls, HVAC, air filtration and smart vacuums are all devices that could need medical cybersecurity. A breach of these network-connected systems could impact your practice and lead to patients being put at risk.

Cyber Security for Medical Practices: The Stakeholders

To fully understand health IT security, one must identify the stakeholders and the specific policies and protocols your medical staff must follow. The main stakeholders are:

• Patients – Patients expect that the private data they share with their physicians will be secure and not seen by anyone other than authorized medical staff without the patient's expressed permission. Patients assume that their personal and medical information will be safe and that the medical practice's cyber security will comply with all HIPAA laws.
• Medical Practice Staff – Medical office IT security training for employees is vital to healthcare cyber security. Your physicians, nurses and staff need to understand how to responsibly work on your network and the health IT security best practices for protecting private medical data. Everyone in the practice must also receive follow-up and refresher training sessions. Clear cyber security protocols and practices should be fully documented, updated, and available to all authorized parties. Cyber insurers increasingly require proof that cyber security best practices were adhered to before settling claims for fraudulent money transfer phishing attacks.
• Other Doctors and Medical Practices – Doctors often communicate with other doctors and outside medical facilities and vendors. They, too, are shareholders in your health IT security and must have confidence in network and online communications with your medical practice. Hackers sometimes use small businesses as a weak access point to enter larger networks.
• Vendors – Any authorized vendors who supply goods or services to your medical practice via the practice network must also document cyber security awareness training and adherence to your policy to access any part of your network. Network-connected vendors bring additional vulnerabilities and must comply with your policies, or your practice should not risk working with them.

Medical Cybersecurity Must Protect Data in Many Places

Compliance with data protection laws can only be achieved by protecting all possible attack points. Small medical practices are particularly vulnerable to cyberattacks. They must address all the possible ways cyber thieves attempt to breach medical data, including:

• Through Email, Phone, Social Media and Texting – Medical professionals and their support staff use email to share many different types of sensitive patient data. Much of that data remains in their inboxes. Also, phishing attacks can unwittingly be launched by medical practice personnel when they click on embedded links and attachments without first verifying the sender's authenticity. Email phishing attacks trick users into thinking an email is from a trusted source. They might look legitimate, but they are cleverly conceived hoaxes. For example, an email might be from johndoe@qmail.com. At first glance, this looks like a Gmail account. However, on closer inspection, the “g” in “gmail.com” has been replaced with a “q.” Phishing scams often contact victims through multiple channels (such as phone and email) to add familiarity to their scam. Hackers will target and impersonate anyone connected to the practice authorized to transfer large sums of money (accountant, bank, insurance company, property manager, payroll company, attorney). Employee training can teach everyone on your staff how to tell if an email is from a trusted source or merely disguised to look like it is.
• Via Unprotected Medical Devices – Every device connected to your network is a vulnerable endpoint for hackers. Each endpoint should be viewed as a potential entry point for bad actors to launch a cyberattack. Every device must be protected, from nurses’ local PC stations, smart monitors and speakers to the tablets used by clinicians and scribes. Healthcare network security for medical offices is essential for protecting data accessed or shared by any device connected to your network and helping avoid devastating cyberattacks that take months or years to recover from.
• Through Non-Medical Smart Devices – As mentioned earlier, there are many non-medical smart devices that are part of the IoT. Cybersecurity for healthcare providers requires that every connected device, whether medical or not, be protected.
• Legacy Systems – Due to the complexity of medical networks, updating devices and system software can be arduous and costly. A legacy system is any outdated system no longer supported by its developers. More often than not, small medical practices will keep using legacy systems until they malfunction or when IT updating is in the budget. HIPAA requirements mandate that all private data be protected even when using an outdated system. Cyberattacks are very costly and disruptive events. Consider the risks of using an outdated, unsupported system that no longer receives security updates.

Ransomware: The Worst Enemy of Medical Cybersecurity

Ransomware attacks are on the rise. When hackers launch a ransomware attack, they encrypt practice data and hijack your network. They then demand a ransom payment in exchange for the decryption key to free up the data. Usually, the ransom demand doubles after 24 hours and is compounded every day the ransom isn’t paid. There is no guarantee that the hackers will release your data or return it in usable condition. Even if they return the data, they will keep a copy to sell (repeatedly) to other cybercriminals. Hackers may also attempt to extort patients directly, threatening to release private medical information.

However, depending on your medical practice, a ransomware attack could put more than data privacy and profits at risk. If all your medical devices and operational equipment are part of your network and stop functioning due to malware, patients’ care could be compromised during an attack.

Cybersecurity for Healthcare Providers is Complex

Although Ransomware attacks are a current favorite of cybercriminals, healthcare cyber security professionals can address a long list of other common threats:

• Insider Threats: Inadvertent and Intentional Data Exposure – Data can be exposed innocently or maliciously. Perhaps an employee misplaces their tablet and does not report the loss right away. Maybe incorrect permissions allow access to medical data to the wrong employee. Also, a malicious insider (staff or someone who interacts with the medical practice) can intentionally breach data for personal or nefarious reasons. Managing healthcare cyber threats has many moving parts. Enlist the services of health IT security professionals to help secure your data. The risk and loss potential are too great to ignore or handle data security on your own.
• Malware Attacks – Malicious software or Malware allows unauthorized access to your computer network, its devices and the private data stored in them. Different types of malware can allow hackers to collect private data, collect keystrokes that can expose passwords, steal other access credentials or take control of your system. Once launched, malware moves through an unprotected network and disrupts operations.
• Vulnerabilities – It is crucial to keep your healthcare cyber security robust. Part of that process requires keeping all software and devices up to date. Old devices and unpatched software can increase your system’s cyber vulnerabilities and open the door to hackers. Cybercriminals will exploit known software vulnerabilities. Health IT security companies can perform regular risk assessments to identify weaknesses or gaps in security coverage. Risk assessments are explained in more detail later in this article.

Healthcare Cyber Security Best Practices

Every medical practice has different cyber security requirements and risks. However, even with the best security in place, it can all fall apart if all employees are not on the same page for data protection. Medical office IT security training for employees requires that all users complete training, adhere to the best practices and policies and each new employee be trained. Attack methods and defenses continue to change. Therefore, updated training should be completed regularly, especially when employee phishing tests reveal gaps in knowledge.

Visibility and Medical Cybersecurity

You can’t protect things you don’t know about. It might seem obvious, but having complete, real-time visibility across your medical practice’s system is essential. Visibility includes knowing everything and everyone connected to your practice’s network, what services they provide, the data collected, how it’s accessed and managed and what cyber security safeguards are assigned to every device. Real-time visibility will help you identify vulnerabilities before hackers breach them and can help you know what devices are connected to the network at any time. In a sense, visibility can provide a “map” of a cyber thief’s attack landscape. The visibility process can help you and your IT experts spot potential problems early and avoid cyberattacks. There are affordable managed cybersecurity service providers that manage this for small practices.

Cybersecurity for healthcare providers is not a DIY project. Trained medical cybersecurity professionals must evaluate your entire healthcare computer system, make recommendations and properly configure device settings. They can set up alerts to warn of potential threats or suspicious network traffic. Once all protective measures have been taken, they can monitor your system and train your practice’s staff on what they must do to support your cybersecurity. The most vital functions that healthcare cyber security experts will provide are:

• Risk Assessments – IT cyber security professionals conduct risk assessments regularly to evaluate your practice's network for possible vulnerabilities. Risk assessments are not one-and-done. Yearly risk assessment documentation helps maintain HIPAA legal compliance and eligibility for cyber insurance. Healthcare network security for medical offices addresses specialized security considerations.
• Security Controls – Many layers of cyber security tools and controls are required to minimize the chances of your medical practice falling victim to a cyberattack. Those controls also include creating an advance plan for employees in the event of a cyberattack. The plan will outline each task and who will perform it. Some additional security controls include:
• Antivirus Software – Antivirus software has been around for a long time. However, it is imperative to have up-to-date professional-grade software. Hackers invent new attack methods and out-of-date virus protection will leave your practice’s network vulnerable. Recent advances in antivirus software now provide live security operations center (SOC) monitoring that will alert your IT security provider when a threat needs to be investigated and resolved.
• Data Encryption – Data encryption is vital to any cyber security plan. When data is encrypted, it will not be readable by a cybercriminal and will appear as gibberish. Hackers may not take the time to try to decrypt the data, making it a less appealing target.
• Data Backup and Storage – Where and how you store data is vitally important. Frequent backups should be scheduled, with data stored securely in the cloud or locally on storage drives. In the event of a ransomware attack, having a clean, current backup copy of your data will allow you to resume productivity quickly.
• Password Managers – Password managers are powerful, multi-function cyber security tools. They can generate strong, multi-character, unique passwords and store them securely. Everyone on your staff (including physicians) should be required to use them. Simple or re-used passwords are risky and no longer acceptable.
• Multi-Factor Authentication – In addition to creating and securely storing passwords, multi-factor authentication (MFA) should be deployed to require additional authentication from another device. Some examples of MFA are sending a code that must be accessed from the text messages on your phone, fingerprint recognition and ocular (eye) recognition. Each MFA adds an additional layer to your medical cybersecurity. Many insurers now require proof of MFA use when settling fraudulent payout claims.
• Firewalls – Firewalls are a network's gatekeepers, monitoring network traffic for security threats. They have long been one of the frontline defenses against cyber threats and another critical layer of medical network cybersecurity.
• Incident Response Planning – You cannot wait until your system is under attack to plan how to respond to a data breach. Cyberattacks are chaotic and confusing events. Every detail of your practice’s response to an attack must be meticulously planned before an attack occurs. With the help of health IT security experts, you can create a comprehensive plan for what actions are to be taken and by whom.
• Zero Trust – The zero-trust principle is now an IT security standard. It is also known as the “principle of least privilege.” Under a zero-trust policy, medical practice users are given the minimum access permissions required to perform their jobs. Zero trust is not just about user access permissions; the protocols can apply to devices, services and private medical data. Many potential cyber threats can be averted by keeping tight control of access permissions.

The ROI of healthcare cyber security services might not seem immediately apparent. However, the costs of securing your medical network are nothing compared to the potential costs of a medical data breach. In addition to financial losses, some of those costs include:

• HIPAA Regulatory Penalties – Failure to comply with regulatory requirements can prompt fines and other penalties.
• Lawsuits and Legal Fees – If patients or employees sue a medical practice for compromised private medical or personal data, the financial exposure can be catastrophic. In addition to the amount awarded in a lawsuit, the legal fees can be onerous.
• Lost Data Access from a Ransomware Attack – As mentioned earlier, a ransomware attack has many consequences. Still, losing access to patient data is the most dangerous, as it can directly affect patient health. If you cannot recover data, can you recreate it? Also, specialized medical equipment and environmental controls may be unavailable during and after an attack, depending on the extent of your practice's networked devices.
• Damaged Reputation – It is easy to understand that if patients and medical professionals discover that a practice has suffered a significant cyberattack, they might lose faith in it.
• Lost Productivity – A cyberattack can affect a practice's computer system on every level. In addition to patient treatment delays, services can be disrupted, and new patient onboarding may cease.

Case Study

A practice operated two offices in Queens, New York. When they first opened the practice over 20 years ago, they invested in what was the best medical cyber security at that time. Although they did a little updating and upgrading over the years, cyber security was not a priority in their day-to-day operations. One of the physician assistants had accessed their patient data to check on a friend’s test results. While the files were open, the PA also opened and checked their email and clicked on a malicious link in an email. Their system was slow throughout the afternoon. The following morning, all screens had a ransom message on them when opened. Less than a year later, the practice made the decision to close in the face of fines, ongoing lawsuits and the loss of business and referrals.

Key Takeaways: Failing to Protect Patient Medical Data Is a Risk Not Worth Taking

Cyber security for medical practices is paramount to protecting private patient and employee data. Cyberattacks put patient care at risk when the network devices and patient data may become unavailable. All stakeholders, from patients to clinicians to other medical practices, count on you to be fully data security compliant. Because the stakes are so high, cyber security must be addressed in your budget and business plan. Cybersecurity is typically 10% of total IT spending. It is far less expensive and time-consuming to avoid a cyberattack than to recover from one.