Why medical practices need to guard against cyberattacks

One in six practices were hit by a cyberattack in 2021, according to the Medical Group Management Association.

Hospitals have become frequent targets of cyberattacks, but they aren’t the only healthcare providers that need to be concerned about bad actors hacking into their systems.

Medical practices need to be especially concerned about cybersecurity as well. Roughly one out of six practices (16%) were hit by a cyberattack or ransomware in 2021, according to a February 2022 poll released by the Medical Group Management Association. The poll included 828 responses.

“It’s becoming more and more of an issue, particularly in the healthcare space,” said Claire Ernst, the MGMA’s director of government affairs. “Medical practices are certainly not immune to this.”

Hundreds of healthcare systems have suffered cybersecurity attacks in recent years. So far in 2022, more than 100 breaches involving patient information have been reported to the U.S. Department of Health and Human Services. Many of these breaches involved private information such as dates of birth, Social Security numbers and other private data contained in health records.

Nearly 45 million Americans were impacted by breaches involving private health information in 2021, up from 34 million in 2020 and 42 million in 2019, according to a report by Critical Insight, a cybersecurity company.

Medical practices are already juggling so much in terms of caring for patients and handling administrative tasks. But if patient data is lost in a cyberattack, practices could lose referrals and could see patients switch to other providers, so they can’t afford to ignore cybersecurity.

Practices need to have cybersecurity training and should document it, including guidelines in employee handbooks, Ernst said. Cybersecurity experts repeatedly stress seemingly obvious but necessary reminders to avoid clicking on links in emails from suspicious or unfamiliar sources. Notify a supervisor or information technology department about suspicious emails.

Practices can take some fairly common but effective steps to improve their cybersecurity. Some include using strong passwords and making sure their software is updated.

Multi-factor authentication is another useful safeguard in protecting patient records. With multi-factor authentication, staff must take two steps to access systems, such as entering a password and another code that is sent to their phone.

Many medical practices take advantage of insurance policies that cover cyberattacks. Ernst said it’s important for practices to review those policies to understand what insurance will - and will not - cover in the event of an attack.

Many cyberattacks are aimed at smaller businesses, including healthcare providers, said Crane Hassold, director of threat intelligence for Abnormal Security, a cybersecurity firm. Some bad actors know smaller organizations are likely to have fewer resources to devote to cybersecurity.

“Small businesses are actually the primary target of ransomware attacks today,” Hassold said.

Smaller hospitals have been repeatedly hit with cyberattacks and malware. Some attackers want to test malware by targeting smaller health systems to see if they can get in, analysts said.Experts say healthcare organizations also need to be in contact with their vendors about cybersecurity vulnerabilities. Some healthcare breaches have stemmed from attacks involving vendors or partners who have access to patient data.

The federal government offers a free risk assessment tool for healthcare organizations. The Office of the National Coordinator for Health Information Technology (ONC) developed the risk assessment tool, which can be downloaded. It can help determine weaknesses that need to be addressed in policies and practices.

Experts also advise all healthcare organizations to back up patient data, and to maintain at least one copy that cannot be changed.

Medical practices should also consider working with third-party vendors to supplement their cybersecurity. Practices can contract with vendors to conduct penetration tests to assess the security of their systems.

More from Chief Healthcare Executive

Cybersecurity measures advance in Washington