[BreachExchange] How to Protect Your Practice from Cybercrime
Audrey McNeil
audrey at riskbasedsecurity.com
Tue Sep 20 19:37:16 EDT 2016
http://opensources.info/how-to-protect-your-practice-from-cybercrime/
According to a report published this May by the Ponemon Institute, a
research organization that specializes in data protection and information
security, almost 90 percent of healthcare institutions have had some kind
of data breach in the past two years, and 45 percent had five or more
breaches. While many of these breaches were small and occured due to
employee mistakes, lost or stolen devices, or third-party mishaps, half of
all healthcare data breaches were the result of cybercrime.
This isn’t really surprising. Medical practices are in fact rich targets
for cybercriminals. Healthcare data is even more useful than credit card
data to those trading in black market data because it provides more
information than just names, addresses, and social security numbers.
Hackers can access patients’ next of kin, who to call in case of emergency,
and a detailed list of health conditions. Health data also has longevity.
Credit card accounts can be changed, heath data not so much.
Most medical practices meet (or make a good-faith attempt to meet) HIPAA
regulations regarding encryption and handling of protected health
information. If your data is breached, the Office for Civil Rights and your
cyber-insurance carrier, if you have one, will want to see that you’ve
taken due diligence to protect PHI, and if you have, OCR is not likely to
fine you, and your insurance company will probably cover other associated
costs
However, there is a lot more at stake than the financial costs of a breach.
In addition to keeping yourself in the clear legally, you also want to
protect your patients’ data, your patients’ hard won trust, and the
reputation of your practice from the consequences of cybercrime. That may
take more than the practices required by HIPAA, and sometimes even basic
things are overlooked. Here are a few security practices you may have
overlooked that can help protect your data from cyberattacks.
• Make sure your system updates software automatically. “It’s the simple
things that kill you,” says Chuck Winchester, Information Technology
Operations Manager for the American Academy of Family Physicians (AAFP).
Software updates aren’t always automatic. “One of the easiest things to
overlook,” he says, “is keeping antivirus and antispam and malware scanning
software continuously up to date.”
• Have a policy and procedure for dealing with email attachments. Employees
are often easy targets for malware. “If you get an email from someone you
don’t know, send it to your IT department and let them determine if it’s
safe to open. Make sure all employees are aware of this policy,” Winchester
advises.
• Encrypt sensitive data. Good passwords are great, but data encryption is
better. IT experts recommend that if at all possible, sensitive data should
be encrypted, not just password protected.
• Stay on top of risk assessments. “Most breaches show that risk analysis
wasn’t complete,” says Rick Hindmand, a healthcare attorney with McDonald
Hopkins in Chicago, Ill. Risk assessment shouldn’t be a one-time thing. Do
them regularly.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160920/f1d36014/attachment.html>
More information about the BreachExchange
mailing list