If a provider or surgery center is attacked, the practice is on the hook for bad publicity, potential fines, and the high cost of remediation.
If you think your medical practice, specialty clinic, or surgery center isn’t a target for hackers because of your size versus a multi-hospital health system, think again.
While it’s true that cyberattacks seem to be more prevalent among larger providers, recent evidence shows a marked shift toward smaller entities.
In the first six months of 2022, breaches among specialty clinics rose from 23% of total reported healthcare breaches last year to 31%. Breaches in the health services and supplies category, which includes pharmacies, medical supply companies, and provider alliances, rose from 10% of all breaches in the first half of 2021 to 14% in 2022. Physician group breaches rose from 2% to 12% of all breaches.
The business associate (BA) category, which includes clearinghouses, accounts for 15% of all breaches. Of the 409 breaches reported to the Office for Civil Rights in the first eight months of 2022, 74 involved business associates.
Analysts note an upswing in attacks on EHR systems and through business associates. Regardless of whether a provider or surgery center is attacked directly or through a business associate, the practice is on the hook for bad publicity, potential fines, and a high price for remediation that can put the future of the practice or surgery center at risk.
Here are six steps to take to help ensure your clearinghouse, other business associates, and your own facility follow security best practices.
1. Adopt strong two-factor authentication.
Passwords are passe as the sole method to log into sensitive websites. Unfortunately, even two-factor authentication using an email or text message can be compromised, either by simulating the login page or intercepting the login code.
Ask whether your clearinghouse or other BAs support use of a Universal 2nd Factor (U2F) authentication key, a USB key that works only on sites where the user has registered. Instead of sending a code that can be intercepted, the key interacts with the browser to allow access while protecting against session hijacking, malware and man-in-the-middle attacks. The best security comes from something you know (a password) and something you have (a U2F key).
2. Determine how secure your partners are.
Your practice could have world-class security protocols but still be attacked through connections to business associates or care partners. Truly, the weakest link in the security chain is the likeliest to be exploited by bad actors.
Ask your BAs and partners whether they are SOC 2 certified, a voluntary compliance standard centered on how organizations manage customer data based on five criteria, including confidentiality, security, and privacy of data. For healthcare organizations, certifications from trusted independent organizations such as EHNAC or HITRUST show commitment to keeping data safe.
3. Maintain physical and device security
Despite decades of advice about not leaving sticky notes with passwords around or leaving an outside door unlocked, it still happens — more frequently than you might imagine. Continued remote working opportunities expand both the physical and electronic walls of your practice or center that can leave you vulnerable.
In addition to the above advice, log out of applications when you leave your computer, even for a moment. Pay attention to your surroundings and be wary of anyone unusual. Turn your computer screen away from areas where patients may pass.
4. Use your business device only for business
The lines between work and home blurred more during the pandemic, when nearly everyone who wasn’t patient-facing worked from home. The explosion of cloud-based software also extended work from desktop or laptop devices to personal smartphones. While it may be tempting to check your personal email or watch videos while logged in to your workplace device, resist the temptation.
5. Protect against phishing attacks with education
Phishing attacks have evolved well beyond Nigerian princes looking to share their wealth. More than 80% of breaches involve humans in some way, including social attacks, errors, and misuse. Spear phishing, where bad actors craft communications for a particular person, is made relatively easy by using information freely available on social media and on company websites.
While deepfake video has gotten lots of press, deepfake audio has a greater potential for misuse. In 2019, a deepfake audio of a CEO’s boss at an energy company was compelling enough for the subsidiary CEO to transfer more than $240,000 to a non-existent supplier in another country.
Ongoing education can help employees become more cognizant of phishing attempts to reduce the threat surface such attacks represent. Beyond education, consider vendors that create and send bogus communications to staff, referring those who click on links for further education.
6. Remain vigilant to emerging threats
In August, the FBI issued a warning that people in healthcare were being targeted by scammers impersonating law enforcement or government officials to extort money or steal protected information. Using information from social media and/or a facility website, thieves tell an individual they are subject to arrest after failing to appear for a court case and need to pay an immediate fine to avoid incarceration. The scammers spoof legitimate organization names and phone numbers and present fake credentials.
The FBI reminds everyone that any legitimate investigation or legal action will occur in person or by official letter. No law enforcement agency will request payment by prepaid cards or cryptocurrency.
Examine every link in security chain
Cyberattacks of all types continue across industries as hackers look for any weakness in IT systems or employees. Healthcare data remains the Holy Grail of bad actors, because it often contains enough information to create new identities that can then be exploited for additional gain.
Vulnerability management software and/or human vigilance may be able to repel nearly all attacks, but hackers only need to be successful once to wreck your medical practice or surgery center. Twenty percent of companies in a recent survey revealed that a serious cyberattack almost resulted in the company going out of business. In fact, 87% said a successful attack was a bigger threat than an economic downturn.
Vigilance at your own company and among your staff isn’t sufficient protection. You must also closely examine the Business Associates with which you do business, because their security weaknesses can also leave you vulnerable.
Rob Stuart is founder and president of Claim.MD, a leading electronic data interchange (EDI) clearinghouse helping to streamline the billing and collection process for providers, payers and software vendors