By John Southrey, CIC, CRM
Health care organizations are increasingly the target of cyber attacks, and cyber criminals are using a spectrum of techniques* — ransomware, phishing attacks and other malware infections — to gain access to electronic protected health information (ePHI).
TMLT policyholders reported 112 cyber-related incidents in 2016. One-third of these incidents involved ransomware attacks. To combat these cyber threats and data breaches, TMLT developed fee-based risk management resources to help medical practices assess and mitigate their cyber risks.
TMLT’s cyber risk management services are focused on protecting medical privacy and security and include:
- HIPAA risk assessments (done on-site or remotely) to evaluate a practice’s physical, administrative, and technical safeguards;
- customized workforce training (on-site or online) to maintain compliance with privacy laws;
- IT support such as system penetration and phishing vulnerability testing, hosting, back-up management and disaster recovery;
- managed detection and response from eSentire and;
- policy and procedures review.
Though data breaches are a systemic business risk that can be devastating to a medical practice and its patients, many health care organizations continue to take a “wait and see” approach to improving their data security. They may not even recognize when they have been breached, because it can take up to several weeks to detect and respond to incidents. (1)
Indeed, TMLT regularly encounters the following objections when addressing this issue with practice administrators and physicians.
“Our cyber security is covered.”
- But are you monitoring your computer log files (i.e., network traffic) 24 hours a day?
- How often are you updating your computer system and software?
- How would you know if malicious malware bypassed your security, such as “zero-day” flaws that have not yet been patched by a software vendor?
“We’re too small to be a target”
- How many medical records do you have in your EHR and/or PM systems?
- Do you give your Business Associates and their sub-contractors access to your EHR?
- Are you aware that small-to-medium practices are targeted by cyber criminals because they’re considered “low-hanging” fruit due to inadequate data security?
“We outsource our IT”
- How much does your IT vendor know about the HIPAA Security Rule? (Breaches can originate within Business Associates or their subcontractors.)
- Do you have an Incident Response Plan and have you educated your workforce on the HIPAA Breach Notification Rule?
“We’ve moved our data to the cloud.”
- Will your cloud provider sign a Business Associate Agreement?
- Does your cloud provider’s data security strategy include end-users on the network?
- Are you and your employees aware of phishing, social engineering, and targeted attacks and how to appropriately handle them?
There are inherent risks with using technology in health care; moving to the cloud doesn’t eliminate data security risks. Sophisticated malicious software such as some ransomware variants, have the capability to lock cloud-based backups when systems are continually backed up in real time and can even encrypt cloud storage devices that are mapped to infected computers. (2)
It is widely reported that the health care industry is failing to keep pace with evolving cyber threats and have under-invested in protecting their data. (3) The Office for Civil Rights (OCR), the HIPAA enforcement arm of the U.S. Dept. of Health and Human Services, has advised health care organizations that: “Healthcare organizations and contractors and vendors that handle protected health information must step up their game.”
The OCR has also warned warned that Cybersecurity-related attacks have continued to rise and become more destructive and disruptive. Although effective incident response planning can be a complex task, it should be one of covered entities and business associates’ priorities.” (4)
Effective cyber security requires a multi-layered approach using threat detection, prevention, and incident response planning. The legal ramifications and reputational harm can be significant to a medical practice suffering a data breach. And as practices pursue the “triple aim” of value-based health care, data breaches will not improve the patient experience.
1. In a survey of 223 US-based health care executives conducted by KPMG, only 13 percent reported tracking known cyber security attacks daily. Additionally, 25 percent stated they do not have or do not know their capabilities, in real-time, if their organization’s systems are being compromised. KPMG. Health Care and Cyber Security — Increasing Threats Require Increased Capabilities. 2015.
2. How to protect your network Network From Ransomware. U.S. Department of Justice.
3. Playing catch-up. Heatlh Care Risk Management Review. January 14, 2016.
4. HIPAA enforcer’s latest actions: an analysis. Health Care Info Security. July 18, 2016.
* These techniques are also known as “attack vectors,” which is a path or means by which a hacker can gain access to a computer or network server to deliver a payload or malicious outcome. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. More information is available at: http://searchsecurity.techtarget.com/definition/attack-vector