For small medical offices, cyber risks loom
If we looked at each industry and asked which one has the most data, health care is the biggest one, said
Its a threat big hospitals are well aware of, said Biretz. But as those hospitals hire full-time teams devoted to network security, Biretz and others are warning small, independent practices they face many of the same risks and many dont realize it until theyve suffered a breach.
They dont understand how big a deal it is yet, said Biretz.
Small medical practices face multiple vulnerabilities, including outdated medical software and staff often left untrained in how to avoid phishing scams or use safe passwords practices network security experts call cyber hygiene.
I insure a local independent firm. They do about
The annual premium came to
Biretz said his best customers are those who have already experienced a breach, but by then the company has already endured a loss of money and a loss of trust among their patients.
Which is to say nothing of the legal liability a practice may face.
When you have a breach, not only do you have an immediate hit to your revenue because you cant conduct business, but the attorney general gets involved for all the states your clients lived in and they impose many, many steps that have to be followed to inform your clients but also any fines they might impose, said Biretz.
The Health Insurance Portability and Accountability Act or HIPAA enforces standards for the security of any identifying medical data a hospital obtains from a patient. Health care workers know HIPAA as the reason they cannot keep client records where others may see them or give patient data to another practice without a release signed by the patient.
What the HIPAA security rule requires is there are technical standards the provider is implementing, that there are administrative standards the provider is implementing, and integrity standards that the provider is implementing, said
HIPAA also regulates how a practice responds to a breach. Practices must contact the appropriate law enforcement, which can include local police and the
Health care providers who discover a breach affecting more than 500 patients have 60 days to disclose it to the
The causes for these breaches can vary: a stolen laptop needs to be reported the same as a major ransomware attack. But fines start at
The standards enforced by HIPAA, said Melamed, act on a sliding scale. Large hospitals are held to a higher standard of security and response than are small practices.
It depends on the resources the provider has and the reasonableness for having certain standards and certain processes in order, said Melamed.
Still, a breach at a small practice can have a much larger impact than some might expect.
The two largest breaches in
While the incident is listed by OCR as a hack, the practice said it simply couldnt identify activity on its servers.
We had no proof of the data breach, we just had activity we couldnt define, said
There was activity in our system that we couldnt identify, and you only have so long to report a breach. It couldve been the EMR we use, they work through the night on our systems. They could have gone into a place they shouldnt be. It was never really defined, said Seachrist. An EMR, or electronic medical record, refers to data management software used by medical practices to retain patient data.
In May, a reported hack against
While the company did not respond to multiple requests for comment for this article, they released a statement detailing the extent of the hack. The website hosting the statement has since been removed, but an archived version details the extent of the breach.
After discovering a ransomware virus, reads the statement, the practice immediately removed the infected server and workstation from our network and began an investigation with the assistance of an expert computer forensics team to determine how the virus made it onto our systems and the extent to which the virus may have affected any of our data.
After also contacting the
Maintaining the integrity and confidentiality of our patients personal information is very important to us. Were conducting a comprehensive internal review of our information security practices and procedures to help prevent such events in the future, the company said.
Breaches like these come not through technical wizardry, but often through social engineering manipulation of peoples trust on the part of the hacker.
Its one reason practices like
We have a checklist we try to do every quarter. Are we having any problems? Have we had any breaches of confidentiality, no matter how minor it is? said
The practice, which employs 19 people including four providers, sees 1,600 patients a month. It knows the benefits of keeping employees informed.
Thats some of the things we try to do: Limit their usage of the kinds of sites they can go on, opening that door and making us vulnerable. Were required to change our passwords at the minimum of 90 days, not using the same password, not sharing with anybody, said Terry.
If he replies to that and the email is fake, [the hacker] steals his signature and can send emails to pharmacies, to other doctors, looking like the doctor, said Nagle.
From there, said Nagle, the hacker can send fake files and fake links meant to install malware on the businesss computers. That malware then broadcasts the data to a third party.
Nagle referenced a recent attack on an
We can have the best plans in place. Hospitals have regulations they have to abide by. Their IT department is working full time to make sure they werent hacked and they were still hacked, said Nagle.
Midstate practices that have recently joined larger health networks can take solace in Biretz and Nagles one assurance: There is safety in numbers.
The downside is everything is in one area, said Biretz. So if that there were to be a vulnerability, access to everything would be available.
But big health networks can often afford a level of security prohibitively expensive to independent practices.
The benefit to that is buying power and expertise. Lets say Im ABC Medical Practice and Ive got five providers. I can invest maybe 20 percent of my bottom line in security. But when I join a group like
Nagle concurs, noting many small companies Alliance works with make Alliances job easier by joining a large network of electronic medical records, or EMR. When a practice uses an EMR system like Epic,
But, said Nagle, medical practices also retain the kinds of data other small businesses do, including employee files and the businesss financial records.
Anything theyre using to grow their business that does not fall inside that EMR platform, we want to make sure that data is encrypted, said Nagle.View the full article from the
CREDIT:
EFSA’s Advisory Forum calls for more public investment in food safety research
Senate Armed Services Committee Issues Report on Activities During 114th Congress (Part 2 of 3)
Advisor News
Annuity News
Health/Employee Benefits News
Life Insurance News