HHS toolkit outlines basic practices to combat phishing, ransomware attacks.
The U.S. Department of Health and Human Services Office for Civil Rights, as of this writing, has 412 cases of breaches of unsecured protected health care information involving more than 500 individuals who are under investigation (bit.ly/OCRbreachportal). Most of these involve health care providers, most involve hacking or an IT incident, and most involve information in email. These statistics serve as a sobering reminder that medical practices remain an attractive target for hackers, possibly because many are small businesses with no dedicated IT professionals on staff.
On Dec. 28, 2018, HHS released a set of publications intended to help medical practices of all sizes confront this very real threat (bit.ly/HHScybersecurity). In this article, I will summarize the threats and recommended practices for cybersecurity in your practice.
Also by Dr. Dowling: What 2019 MIPS changes mean for your practice
According to HHS, the five most common cybersecurity threats in health care are:
Email phishing attacks. These consist of attempts to deceive someone into giving out sensitive information via email. A common scenario might involve an email to an employee that appears to come from a legitimate source, and directs the employee to enter their login credentials. Those credentials are then hijacked to access other systems. This is the most common threat in medical practices leading to reported breaches.
Ransomware attacks. According to HHS, “Ransomware is a type of malware (malicious software) distinct from other malware; its defining characteristic is that it attempts to deny access to a user’s data, usually by encrypting the data with a key known only to the hacker who deployed the malware, until a ransom is paid. After the user’s data is encrypted, the ransomware directs the user to pay the ransom to the hacker (usually in a cryptocurrency, such as Bitcoin) in order to receive a decryption key.”(bit.ly/ransomwarefactsheet).
Loss or theft of equipment or data. The concern here is that the stolen equipment may contain unencrypted, unsecured protected health information. This is the third most common cause of data breaches reported to HHS.
Next: Insider, accidental, or intentional data lossInsider, accidental, or intentional data loss
Attacks against connected medical devices that may affect patient safety. Connected devices in a urology practice may include x-ray equipment, urodynamic machines, and other lab equipment. These interfaced devices typically contain protected health information and are vulnerable.
The HHS report, “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients,” (bit.ly/10cybersecuritypractices) recommends 10 cybersecurity practices to address these five threats, and the recommendations are tailored to the size of the practice (small, medium, and large). The report is accompanied by technical “how-to” volumes (bit.ly/managingthreats and bit.ly/cybersecuritysmallpractice) that facilitate the implementation of these practices. I highly recommend that every practice download the section of the volume pertinent to your practice size and implement these best practices. For example, the table below, from the technical volume for small practices (bit.ly/cybersecuritysmallpractice), provides recommendations for safeguarding your practice from phishing attacks.
Bottom line: Cybersecurity threats in a urology practice are real and can result in harm to patients-and your business. HHS has released a valuable toolkit that can be adopted by practices of any size with minimal effort. Follow these 10 basic practices and put your practice on the best cybersecurity footing for 2019.