Businesses and, more importantly, medical practices, face constant threat from cyberattacks. Incidents in health care are on the rise according to the The U.S. Department of Health and Human Services Office for Civil Rights.  This year, one of the largest ransomware cyberattacks in history disrupted payments to providers for weeks when Change Healthcare System was attacked.  The parent company, UHC, estimated in their 2^nd quarter earnings report that the cost of the attack was $2.3-2.45 billion.

 Attackers understand the value of health care operations and the vulnerability of their data, and so ransomware continues to increase. Last year, according to the Internet Crime Complaint Center, Health care and public health organizations made up the highest number of ransomware attacks amongst the critical US industries. Following the attack on Change Healthcare System, ransomware attacks surged, driven by the notoriety they received.

The risk for medical practices

Cyber events, often impacting larger health system like hospitals, have delayed medical procedures, patient diversions to other institutions, and ambulances.  Attackers often target larger institutions, where there is more money.  However, smaller offices are vulnerable because of the quality and the amount of data in their networks.  Whether the practice is large or small, the threat of cyberattacks remains:  potentially losing private medical records, jeopardizing patient safety, disrupting patient care and breaking patient trust as a result.

It is clear to see that your practice may be open to attack when you take into account the volume and sensitivity of the medical information you handle, as well as the growing use of technology to manage that information.

The great responsibility health care institutions have in protecting private patient data calls for a proactive and cooperative response to handle the rapidly evolving ransomware attacks that are becoming smarter, quicker and more organized.

Steps to take

The Department of Health and Human Services published voluntary health care specific Cybersecurity Performance Goals (CPGs) to help health care organizations fight against ransomware.  They have been organized to align to National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF) functions.

Here are steps to take that incorporate these goals to help you prevent, or respond to, a ransomware attack on your practice:

1. Get Educated
   Not only should all employees receive training on cybersecurity practices in the context of HIPAA, but also in the context of hackers and ransomware. Instruct them to refrain from downloading information from unfamiliar websites and clicking on links in suspicious emails. Educating employees is crucial, as this is how attackers gain entry most of the time.  Using simulated phishing campaigns is one way of doing this.  New hires are required under HIPAA to receive privacy and security training; this training also should align with the practice’s information security policies and antivirus procedures.
2. Update Regularly
   Installing updates is crucial to strengthening firewalls, repairing bugs and vulnerabilities, and maintaining the software your practice employs to fend off viruses and malware up to date. This entails routinely eliminating past employees, volunteers and affiliates as well as reviewing current logins especially administrative access. Download patches and updates as soon as developers or vendors make them available, and do so often. This includes the running EDR’s (Endpoint Detection and Response System), a machine to detect suspicious activity.
3. Organize a Business Resilience and Emergency Response Strategy
   Whether fires, floods or another crisis, every doctor’s office should have a strategy for handling crises. Make certain to incorporate ransomware and cyber attacks as potential hazards. This entails the implementation of consistent data backups, including both traditional and immutable backups, the verification of backup integrity and the prevention of backups from being connected to the networks they are backing up.
4. Observe and Evaluate Methods and Procedures
   Teaching employees cybersecurity is one thing, but ensuring they are using the skills learned is quite another. Medical offices ought to be able to keep an eye on user behavior in real time, or at the very least, get information on a regular basis regarding staff members’ data access and compliance with protocols. Make data protection a part of the way you do things at work.
5. Select an Employee Member or Team Responsible for Cybersecurity
   The duty of this individual or group will include developing cybersecurity guidelines and processes, making sure all employees have the necessary training and ongoing education, and helping to report any events that do come about. Many professionals advise doing a yearly drill to get ready for a data hack.
6. Evaluate the Credentials of Your Vendors and Outside Sources
   It is expected that the majority of vendors providing electronic medical record, portal and practice management software has security certifications. Are you certain that yours do? And if that is the case, what qualifications do they hold?
7. Conduct an Assessment and Revision of the Practice’s Professional Liability Insurance
   Regrettably, several plans of this nature do not provide coverage for intrusions, such as ransomware. However, it may be possible to get a specialized insurance policy that provides coverage for such situations. 
8. Hire a Specialist
   The magnitude of the situation is vital, and the subject matter is intricate and potentially laborious. Hiring a cybersecurity consultant for your medical practice can be a crucial step in ensuring that you are sufficiently ready, provided that it is cost-effective.

Simply stated, the goals are to govern, identify, protect, detect, respond and recover.  With ransomware strikes happening more frequently they may be overlooked by the media. It is crucial to be cognizant of this persistent hazard and to implement protective measures. Hackers are, after all, perpetually improving their strategies and methodologies.

If  you would like more information, contact Carrie Hale at [email protected] or 312.670.7444. Visit ORBA.com to learn more about our Health Care Group.