Cyber threats take many forms. The widespread WannaCry ransomware attack in May 2017 highlighted how computer files could be held hostage in return for payment, while the Dyn denial of service in October 2016 highlighted how websites like Airbnb and Twitter could be made inaccessible. Cyber threats are on the rise within the health care industry, as the information gained as a result is lucrative in value. Thus, it is important every physician practice take steps to protect itself from a cyberattack.
Identify the types of cyberattacks to which your practice is most likely vulnerable.
By doing so, you can invest in measures that will be most relevant to your practice. For instance, practices that host websites must preempt denial of service attacks, while those that hold private customer information electronically must prevent unauthorized access to their data. Of course, many practices will likely be vulnerable to a variety of cyberattacks.
Develop a framework to prevent, investigate and respond to the cyberattacks to which your practice is most vulnerable.
In 2014, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) issued and continues to update, a voluntary Framework for Improving Critical Infrastructure Cybersecurity (the “Framework”). In addition to their own independent initiatives, practices should periodically consult the Framework to keep abreast of cybersecurity best practices in order to assess their security status relative to others. In addition, the website for the Office of Civil Rights, the government entity responsible for HIPAA compliance, contains guidance on various cybersecurity topics that may also prove helpful.
Invest in the latest computer security and protection measures.
To the extent feasible, practices should strive to use the most up-to-date software and avail themselves of periodic releases of software updates. Cyberattack methods constantly evolve, and older versions of software are more vulnerable to newer and more complex threats. For example, victims of the WannaCry ransomware attack were mainly those organizations that ran older versions of Windows operating software. Practices should also consider regularly backing up data and insulating that data from their computer network, segmenting their computer network, and monitoring network activity.
Implement employee vigilance and training measures.
Perpetrators of cyberattacks often employ phishing scams by sending emails with attached malware to individuals who then promptly download the attachments and infect their employers’ computer networks. Practices should train employees to identify suspicious emails in order to guard against phishing schemes. Such training can be incorporated into your practice’s periodic HIPAA training.
Given that malicious emails are often sent by seemingly familiar senders, practices should teach employees how to spot subtle clues that indicate dangerous emails. For instance, employers should instruct employees to check whether the domain name of the originating account is a “near-miss” from what would be expected. For example, an employee recognizing “dot com” and “dot co” could be the difference in avoiding hefty losses.
Test your cybersecurity measures and monitor the effectiveness.
To test whether employees take instructed precautions against phishing attacks, practices should send their employees emails from a “near-miss” domain and tally how many employees fall for them. Of course, even after enhancing computer security systems and increasing employee awareness of network defenses, practices may nonetheless succumb to a cyberattack, but at least the chances of doing so may be reduced.
Obtain effective cyberattack insurance coverage.
Practices should compare potential damages in the event of a cyberattack to the coverage provided in their existing insurance policies and seek out supplementary insurance for any uncovered damages or liabilities that may arise in the event of a cyberattack. For instance, since courts are divided as to whether computer systems constitute “tangible property” for purposes of an insurance claim, practices should consider consulting their insurance companies, brokers, or legal counsel to obtain insurance that covers the types of damages that arise in cyberattacks, including, but not limited to, expenses associated with providing patients with written notice when a reportable HIPAA breach occurs.
Adopt an effective legal strategy for your practice that preempts and limits liability.
As practices retain confidential personal and medical information, any data breach or unauthorized disclosure could subject the practice to liability under a host of federal and state law claims, in addition to HIPAA fines and penalties. Thus, the establishment of an effective legal strategy that preempts and limits liability is essential.
Employ traditional security measures for your practice at locations that could be vulnerable to physical disruption of your cyber capabilities.
Practices should account for some of the more traditional ways in which perpetrators can disrupt their computer networks. To prevent someone from unplugging the power source to a computer network or server, you could consider installing CCTV cameras and limiting access to such areas. In addition, have security incident procedures in place and be prepared to continue operations if an interruption occurs. For example, if an interruption with respect to your EMR system occurs, be prepared to continue business utilizing paper medical records until the interruption can be resolved and your EMR is back online.
Article contributed by David D. Dowd III, Elizabeth B. Shirley and Kelli C. Fleming with Burr & Forman LLP practicing in the firm’s Health Care Industry Group. Burr & Forman LLP, is an official Bronze Partner with the Medical Association.