[BreachExchange] Protecting Physician Practices From Cybertheft Takes More Than A Do-It-Yourself Approach

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jan 23 19:23:07 EST 2018


Protecting patient data has become as important as protecting patients’
lives in an era of increased cybersecurity threats in healthcare,
particularly for physician practices, which are especially vulnerable to

Today, many physician practices subjected to a ransomware attack pay the
fine simply because they can’t afford disruptions in care when patients’
lives are at risk. With a 50 percent increase in healthcare cyberattacks
this year, all healthcare organizations are a potential target. But
physician practices, especially smaller practices, typically do not have
the resources to afford large, complex data storage centers or dedicated IT
staff to keep up with installing the latest security updates.

A do-it-yourself approach to IT security is no longer sufficient for
physician practices. Instead, a proactive approach to data security should
include the following best practices.

Strengthen your cloud capabilities. Cloud technology offers access to the
latest security tools and patches, and is an economically affordable
approach to cybertheft protection. Seventy-five percent of healthcare
providers plan to use cloud technologies within a year, according to a 2017
HIMSS survey. But not all cloud applications are equal. Some offer higher
levels of security protection than others.

Practices should keep these key security considerations in mind when
investing in a cloud solution:

- How often does the cloud vendor scan its software applications for
threats? Some vendors perform continuous scans; others scan software
- What is the vendor’s disaster recovery and data backup plan? When patient
information is at risk, you need a cloud solution that ensures critical
data is always available, with clear back-up procedures in place, including
back-up to a server in another location.
- How does the cloud vendor report security incidents—no matter how
small—to the client? Given the sensitivity of the data you are protecting,
total transparency is critical.
- How will the cloud solution integrate with other cloud applications your
system uses, such as those used by the hospital you service?
Interoperability is key. Make sure the cloud solution you choose supports
collaborative care with other providers across the continuum as well.

Invest in a hybrid solution: a part-cloud, part-on-premise approach. Some
legacy systems do not lend themselves to a cloud approach as well as
others. A recent survey of IT decision makers found 91 percent believe
their organization’s cloud capabilities are limited by legacy network
infrastructure, which limits their ability to leverage cloud applications’
full potential. Additionally, some cloud solutions are less economical than
others, and it may not be financially feasible for a physician practice to
turn all its data and software applications to the cloud.

When deciding which applications should be cloud-based, physician practices
must weigh the benefits according to three factors:

- The sensitivity of the data being protected. Start with high-risk data to
provide an extra layer of security and ensure access to sensitive
information when seconds count.
- Compliance requirements. Some applications require a higher level of
security than others. Look for a cloud provider that meets HIPAA compliance
requirements and has significant experience in working with physician
practices of all sizes and types.
- The physician practice’s existing systems and its goals for using the
cloud. For some practices, the ability to access patient information in
real time in a variety of locations and from multiple types of devices is a
deciding factor for cloud investment. Cost and IT requirements also are
important to consider. Can your physician practice’s existing
infrastructure support a cloud solution? Will the application reduce costs
for your practice through economy of scale, and if so, to what extent? Seek
feedback from staff throughout the cloud vendor vetting process to ensure
selection of the right solution for your practice.

Conduct a security risk assessment to determine your practice’s greatest
security vulnerabilities, and determine your approach based on the
findings. This is a significant step in a heightened-risk environment. A
large physician practice may be able to conduct a risk assessment using its
IT staff and online risk-assessment tools from HIMSS or the Office of the
National Coordinator for Health IT as a guide. Small practices should hire
a security services provider to make this assessment. It’s important to
conduct an IT security risk assessment once a year.

Additionally, reach out to the vendors you currently use and ask them to
make an assessment for free. This feedback could supplement a paid
assessment while providing a relationship-building opportunity for the
vendor. Recommendations from a trusted vendor could then inform your
organization’s approach.

Protecting Your Practice—And Your Patients

In an era where the value of medical data makes physician practices an easy
target for cyberthieves, physicians can’t leave their IT security to
chance. It’s no longer enough to hire a single IT resource to manage
protection of patient data. The number of new threats continually emerging
means everyone in the organization—from practice leaders to front-desk
staff—must be empowered to protect their data from attack.

Ask the IT vendors you partner with for tips on best practices and
suggestions on better protecting IT systems, the inside of your facility
and your external perimeter from attack. Vendors visit multiple healthcare
organizations each month and will have their pulse on emerging threats and
best practices for protecting your organization’s data. Be open to evolving
your approach as the environment changes. Staying nimble will better
position your practice to respond with agility when new threats call for
quick response.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180123/9d5c9de9/attachment.html>

More information about the BreachExchange mailing list