Healthcare records are a rich source of personal and medical information, making them the perfect target for identity theft. With that in mind, it’s no surprise healthcare is the second most targeted industry for ransomware attacks. Additionally, the FBI has issued several recent warnings about the “unique and growing” threat ransomware presents to healthcare organizations.
The risk to small-sized physician practices is especially high because cyberattackers view these organizations as gateways to data from larger systems such as hospitals or health systems. Small practices typically don’t have the capital resources or personnel to sufficiently protect their data from attack, so even proactive efforts to stop cyberthieves can fall short.
How can small physician practices better defend themselves from cyberattack? Practice leaders should consider these three strategies:
Data Protection Strategy No. 1: Invest in cloud technology. Cloud technology can provide an added measure of security for small practices by enabling automatic access to the latest security tools and upgrades, and by providing enhanced data backup and recovery capabilities. Without a dedicated IT manager in charge of the practice’s security strategy, it’s not uncommon for a small practice to fall behind in applying security patches and upgrades. The organization then becomes an easy target for malware threats. Cloud technology effectively addresses the potential for risk in an economically attractive way.
Ask your application vendors whether cloud technology is an option for your practice. Make sure the vendor’s cloud applications can interface with other cloud applications, such as those used by your laboratory. While we tend to think of the cloud singularly, there are multiple clouds. Interoperability remains key.
Look for these attributes in any IT application your practice uses, not just cloud solutions:
- A daily backup solution—if not hourly—or a mirrored solution
- Encryption technology that protects data in transit and at rest
- Strong data loss prevention tools
- Security incident detection features and a detailed response plan
- A vendor with robust access controls and secured data centers
Data Protection Strategy No. 2: Focus on employee education. When it comes to protection of healthcare data in a small physician practice, employee education is crucial. It’s not uncommon for employees to check their Facebook account or their personal email from internal work systems or browse the internet for entertainment. This increases the risk of an employee opening an attachment or clicking a link that could leave the practice vulnerable to attack. Small practices also are dependent on personnel to lock down their computers when they step away to assist a patient or get a cup of coffee. The potential for human error or negligence is high.
It’s important to conduct ongoing training and education for your staff around the risks and proactive steps that can be implemented to better protect data security. Additionally, in an era of ransomware threats against healthcare organizations, all employees must be vigilant in verifying the identities of those who seek access to sensitive areas, including facility maintenance personnel. “If you see something, say something” is a good mantra for all small practice employees.
Three keys to developing an employee education program that protects your practice from risk:
- Leverage a dedicated trainer (either an internal leader or a professional educator).
- Conduct education programs on a regular and consistent basis, not just at the time of hire.
- Include programs that focus on security and compliance, with updated material, as needed.
Data Protection Strategy No. 3: Conduct risk analysis and consider partnering with a data security provider on an outsourced solution. Practices can conduct regular security assessments to ensure best practices are being leveraged and that their bases are covered. Outsourcing data security functions can also be an economically feasible solution that protects the organization and its patients, and takes the burden off a small practice’s already limited resources. Practices can engage with a data security provider to conduct a more thorough risk assessment of their IT security to identify potential security gaps, and make recommendations to address vulnerabilities and to ensure continued improvement. Look for solutions that are not only affordable, but also don’t disrupt staff and physician workflow.
Examining Your Options
While the actual probability of a ransomware attack may be low, the ramifications of such an attack are huge. The move toward cloud technology in particular is a trend that will increase among small practices as a proactive security measure. By implementing the right solution for your practice—whether that’s a cloud or a hybrid solution—and taking proactive measures to address security vulnerabilities, small practices can mitigate the risk of data theft and protect valuable medical information.
Chris Walls is President and CEO of Pulse, Inc.