Overcoming the healthcare industry’s cybersecurity problem

Recent cyberattacks have made big headlines and hit the healthcare industry hard. The WannaCry ransomware attack spread globally in May, compromising hundreds of thousands of computers, including the National Health Service in the United Kingdom. Another major ransomware attack hit in June, affecting the pharmaceutical giant Merck & Co., as well as Nuance, a prominent software company known for its speech recognition software used by many healthcare organizations.

Outside of these high-profile ransomware attacks, data breaches continue to increase. In 2016, there were 329 reported healthcare data breaches of 500 or more records. By July 2017, the Department of Health and Human Services Office for Civil Rights had recorded nearly 200 data breaches, compromising more than 3 million records. Of the healthcare data breaches reported, a significant majority were by healthcare providers specifically.

It is vital for medical practices to consider their current security risks and protect their organization’s information technology (IT) from a range of attacks and data breaches. In a July 11 MGMA Stat poll, only 55% of respondents said they feel their IT infrastructure is secure against attacks, while 15% reported their organization is working on it. Almost one-third of respondents said their organization has faced a cyberattack of some sort.

Why is healthcare so vulnerable?

Healthcare organizations are predicted to be the most targeted sector in the future, according to a data breach industry forecast by the credit bureau Experian. Attackers may target the industry because personal medical information can be very valuable to resell.

Criminals can use medical data to create and sell fake identities or enable someone to conduct medical identity theft. The data can also be used for traditional identity theft because there is often enough information in medical records to open fraudulent accounts, explains Rebecca Weintraub, MD, assistant professor, Harvard Medical School, and Joram Borenstein, vice president of marketing and partnerships, NICE Actimize, in a recent Harvard Business Review article. Ransomware, as we have already seen this year, is also a top source for healthcare data breaches with the ability to halt a healthcare system’s operations until the hackers are paid.

Slow adoption of security practices that could prevent attacks also contributes to vulnerability in healthcare organizations. The data breach industry forecast predicts that hospital networks will be a focus for attackers in the future, because “these more distributed networks present a ripe target for attackers as it is often harder to maintain security measures as compared to more centralized organizations.”

EHRs are a primary target because a variety of different people have access to medical records on a regular basis, and the likelihood of accessing EHRs on a vulnerable computer is high. EHR records are also regularly transferred between different entities. “While there may be significant protections in place to secure them in transit, it only takes one compromised or outdated system to lead to exposure,” as noted in the data breach industry forecast.

The Report on Improving Cybersecurity in the Health Care Industry, released in June by the Health Care Industry Cybersecurity Task Force, points out that “many organizations struggle with numerous unsupported legacy systems that cannot easily be replaced with large numbers of vulnerabilities and few modern countermeasures.”

As healthcare organizations consider new technologies, including the use of mobile applications to access EHRs or connect with patients and internet-connected medical devices, new vulnerabilities will arise that could be exploited.

Additionally, the culture of sharing in healthcare can complicate the issues of security and privacy. “The need to access information quickly to provide patient care needs has to be balanced with the need for cybersecurity protections,” according to the task force report. “While leaving workstations unlocked improves the speed with which a provider can access the patient’s information and identify potentially lifesaving allergies or drug interactions, these practices could lead to the loss, unauthorized access or alteration of patient data.”

Implementing cybersecurity protections can be expensive, and smaller medical organizations may not have the information security resources to stay up to date on protecting their technology. A potential hacker could start by compromising a small practice and use information gathered to acquire the credentials necessary to gain access to larger systems.

“If I could offer one piece of advice in that realm it just would be to continually assess and look for your opportunities for improvement.”

“Given the level of interconnectivity and diversity within the sector, the interdependency of subsectors on one another and the disparity between organizations’ ability to address cybersecurity issues, healthcare as a whole will only be as secure as the weakest link,” as noted in the task force report. The idea that only large organizations are targets misses the point. “In reality, healthcare organizations of all sizes are targets due to the interconnected nature of the industry and all organizations face resource constraints.” For this reason, it behooves organizations of all sizes to step up security.

Steps you can take

How can your organization be proactive about dealing with potential cybersecurity issues? MGMA Government Affairs has outlined some of the action steps you can take to mitigate your risks and to protect patient data and your practice. View the full list at mgma.com/cybersecurity-action-steps.

HIPAA Security Risk Assessment

Completing a HIPAA Security Risk Assessment has been required since 2005, when the HIPAA Security Rule went into effect. If you haven’t conducted one at all or if you haven’t conducted one in a while, it can be a great starting place. The assessment should review issues related to the potential of an external cyberattack, as well as your organization’s administrative, physical and technical safeguards.

Paul Vanchiere, MBA, MGMA member, principal, Physician Intelligence, Lafayette, La., says practices should really embrace the assessment. “This is an opportunity to make sure that you batten down the hatches,” he says.

He recognizes that it can be hard to make time for an assessment. “[It is] hard running a practice, I know.” But the patients entrust their most intimate information and financial information with a medical organization, and “it needs to be protected at all costs,” Vanchiere explains.    

If you are worried about the costs of doing an assessment or building out your security, Vanchiere recommends talking with your medical malpractice company — it may be willing to sponsor your efforts — or reaching out to medical associations in your area that may offer grant programs.

Regular updates

“Given that most transactions in the healthcare sector are conducted through vulnerable hardware and software, it’s critical for providers and payers to strengthen their cybersecurity,” Weintraub and Borenstein write.

The WannaCry ransomware attack was successful because it exploited older versions of the Windows operating system that were no longer supported by Microsoft but that many organizations were still using. Microsoft released a security update to address the vulnerability that the WannaCry attack exploited, including for those versions of the operating system that the company no longer supports, because the attack was so widespread.

But it is not common for software companies to send out updates for systems they no longer support. Using an older version of an operating system or not regularly updating the operating system can make your practice extremely vulnerable to cyberattacks. Make sure that your organization is using the most recent version of your operating system and software, and be sure to regularly install security updates.

Encryption

Encryption is another important tool to protect your data against attack. MGMA Government Affairs recommends encrypting all files and systems that contain patient information. You can obtain encryption programs that can be used on individual files or on entire computer drives. This can be an essential step because any patient data that is lost or stolen is not considered a breach under federal law if it has been encrypted.

“The more you can protect [personal health information], the more you can minimize your chance of compromise if it gets into the wrong hands,” says Kathryn Wickenhauser, MBA, CHTS, MGMA member, regulatory compliance advisor, DataFile Technologies, Kansas City, Mo. “When we can add that extra layer of security and safety, we certainly should.”

Cyber insurance

Many medial liability carriers now offer cyber insurance policies that can help protect your practice. If you decide to shop for cyber insurance, you should review plans and see if there is one that works for your practice depending on your size, the safeguards you already have in place and the scope of coverage.

If you do decide to obtain cyber insurance, make sure that you understand the conditions of the policy. “In order to be compliant, you have to do certain things,” explains Vanchiere. Don’t expect that your cyber insurance policy will protect you cart blanche; make sure your practice is still taking proper security measures to mitigate your risks, otherwise your policy might not even do you any good.  

Training

All clinical and administrative staff should receive training regularly. Best practices should be spelled out in your employee handbook, which should include policies for using the organization’s IT equipment and software, as well as employees’ personal devices, since it is becoming more accepted for staff to use personal devices while at work.

Be certain staff members know not to open emails, attachments or links from unfamiliar senders and to report suspicious messages immediately. Phishing attacks — sending compromising links or attachments via email — are a common way for hackers to obtain access to secured systems.

If it has been a while since you have discussed cybersecurity with your staff, consider regular retraining to keep everyone up to date.

Data backup

Backing up your practice’s data is an essential way to protect yourself if you are attacked, particularly in the case of a ransomware attack. One respondent in a July 11 MGMA Stat poll said of their practice’s experience, “We survived a ransomware attack and didn’t have to pay — [we] used our backup tapes and were fine."

Review different third-party data backup vendors and consider storing data at a secure, off-site location to increase your protection.

Penetration tests

To verify that your practice’s security safeguards are working, conduct periodic penetration tests, which can be performed by third-party vendors, according to Vanchiere. These tests will probe your networks and systems to find holes in your security and expose what kind of information could be revealed if these holes were exploited by an attacker.

Maintaining your security

Once you have identified and addressed your practice’s cybersecurity risks, it is important not to let these issues get put on the backburner. Hackers find new ways to exploit systems all the time, so it is important for you to stay vigilant and set up procedures to keep your systems up to date.

“[There are] some set standards but at the same time there is not an end-all, be-all, one single thing for being secure. It’s definitely changing,” Wickenhauser says. “If I could offer one piece of advice in that realm it just would be to assess your opportunities for improvement continually. There will always be opportunities for improvement.”

“It’s really about checklists,” Vanchiere says. He recommends outlining steps that should be taken on a regular basis in your practice to maintain security, and checklists can help make those steps achievable. “That’s really where it becomes helpful — the discipline to do what you need to do every day, every week, every month to stay on top of it.”

The threat of data breaches and cybersecurity attacks will never be fully eradicated, Vanchiere says. “[You] have to ask yourself, am I doing everything I reasonably can to protect the information that’s been entrusted to me? Maybe that’s hokey, but if you can’t answer that question honestly, then you probably need to do something about it.”