Is your medical practice at risk for a data breach? Chances are it could be. Most data breaches occur simply because medical practices have little to no monitoring, says Benjamin Caudill, co-founder and principle consultant at Rhino Security Labs in Seattle, WA.
“Despite the high costs of HIPAA fines and the risk of losing valuable patient data, many medical offices still are slow to ensure such data is secured,” he says.
Oftentimes, Caudill says that the flaws come down to social engineering, such as the secretary clicking on a malicious link in his or her email, the doctor unknowingly entering his information into a phishing site, or some other human-based vulnerability, allowing hackers to compromise the internal network and access sensitive data.
The good news is that there are several steps your practice can take to minimize your risk for a data breach.
Add a monitoring system
One way you can better protect your practice is through a managed security service provider which can easily add monitoring and technical expertise in protecting patient data.
“Some of these firms even offer a discount for smaller practices in exchange for referrals or longer-term contracts, reducing the cost of this security protection even further,” says Caudill.
The primary challenge is simply getting the system to work as expected.. All too often Caudill sees a company tout a multi-million piece of equipment and all the things it protects, and then become baffled when he tests the security and it fails.
“This is a major goal of vulnerability assessments and penetration testing,” he says. “By trying to attack the network or application as a real adversary would, the company can see which of its protections work, which do not, and how to fix them.”
Examine your remote support solution
Are you using a remote access to connect to files and data away from the office? Legacy point-to-point remote access solutions are a serious security threat, but more modern tools are available to help practices reap the efficiency benefits without leaving them vulnerable to attack.
“To protect themselves, it’s imperative that healthcare organizations examine their remote support solution and ensure it meets the security requirements of today’s heightened environment,” says Nathan McNeill, co-founder and chief strategy officer for remote support provider Bomgar.
Among the considerations, notes McNeill, is making sure the remote support solution is deployed within the network, and that full logs of all session activity are captured and stored.
“The good news for practices s is that modern remote access solutions integrate with existing identity management and authentication tools,” says McNeill. “This allows users to login to the solution with secure directory credentials, rather than the generic passwords that are often utilized with legacy products.”
Establish data security policies and educate employees
Insider threats have become the greatest risk to businesses regarding data breaches.
“Employees, partners, and vendors are all one thing—people,” says Robert Fitzgerald, president and founder of The Lorenzi Group headquartered in Jackson, Miss. “And people are not perfect, some make mistakes like clicking a link or downloading a virus; while others are malicious such as copying data for resale or use); and still others are uneducated on the risks or proper procedures.”
With the medical offices Fitzgerald’s company has worked with, they often see improperly trained employees making mistakes that cause data breaches.
“The most important step practices can do to protect themselves to create easy-to-understand policies for data security and protection and educate their employees,” he says. “So many times we have been called into a breach remediation and during our investigation learned that employees had never been properly trained. This is also the least expensive—best bang for the buck—option.”
Of course, all medical practices need to have antivirus and anti-spyware installed and a firewall installed, Fitzgerald adds. Most will want to have an Intrusion Detection Solution installed (IDS). HIPAA and HITECH regulators are requiring firewall and server log management and in many instances ongoing monitoring of machines on the network.
“We strongly encourage continuous monitoring systems,” says Fitzgerald.
In his experience, the two biggest areas of pushback Fitzgerald sees from medical practices are budgetary constraints and compliance buy-in.
“Many practices haven’t figured out that they need these systems in place to protect their business and often there is a battle for partial funding,” he says.
Another issue he sees is that security will fall on the shoulders of the IT team.
“This is unfair. In today’s medical practice, with so much relying on technology, just to run the practice, the IT team needs to be solely focused on the IT infrastructure and making sure the hardware and software is running properly,” Fitzgerald stresses. “You can no longer expect someone to be responsible for fixing a printer one minute, updating software the next, and trying to keep the environment and its users safe. That is not practical.”
When the partners of the practice understand both the risks and the value these systems can bring, they will often jump on it quickly. The key to success, says Fitzgerald, is finding a solution that is scalable so that as the practice grows, the systems can grow with it, further reducing the lifetime cost.