According to the Protenus Breach Barometer, which provides a monthly report of disclosed health care breaches, an average of 1 breach occurs every day. The main offender behind these breaches – now accounting for more than half of all reported breaches and 95% of total stolen records – is hackers.
Physicians might assume these stem from high-tech incidents where the hackers are impossible to avoid, but this is not always the case, according to James Scott, co-founder of the Institute for Critical Infrastructure Technology in Washington, DC.
Hackers exploit human psychology, “our insatiable need to click on a video or email from someone you don’t know,” he said. These breaches typically result from an error by an organization’s staff “as opposed to the stealth of the adversary.”
Once a staff person clicks on a bogus link and a website or attachment opens, perpetrators are able to get into a computer network and search for weaknesses. When these are found, hackers can move through the system and increase network privileges to find and extract protected health information and other sensitive data.
Mick Coady, a partner in PwC’s Health Information Privacy & Security Practice, said some larger health care organizations have systems that run fake phishing programs to see how many people fall for them. Hit rates for the programs are high, he said, with about 30% of staffers clicking on the links.
Aside from health care information being considered highly valuable, one of the reasons hackers like to infiltrate the health sector computer systems is the effectiveness of the attacks. The industry is rife with organizational and technical vulnerabilities, Scott said. It is relatively easy even for rookie hackers to get into computer systems because many of these systems have only minimal cyber defense.
Physicians need to ensure their network is protected as much as possible from cyber threats. Scott recommends:
- Network analyses to look for abnormalities (like large packets of information being pulled out at 2 a.m.)
- Multi-factor authentication for users
- Upgraded anti-virus programs
- Heavy encryption that breaks data into multiple silos
- Stopping the use of legacy systems – antiquated technologies that are no longer updated and allow hackers to break in much more easily
Physicians will need to ensure their security policies and procedures are up-to-date and staff is well trained. Coady said he often goes into practices where written policies are 3 or 4 years old and do not reflect the newest technologies or practices.
Keeping policies and procedures current takes time and effort, but it needs to be done annually, along with updated training, he said. Along with that, staff members need frequent cyber hygiene reminders. Practice managers need to work with staff members regularly on ways to recognize problematic emails and websites. These include looking for spoofed domains (a tipoff might a spelling of a known organization’s name but which has a single letter off, such as Anthemm) and ensuring staff members know why they should not be surfing the internet during their lunch break. Staff members need to be familiar with the protocols to follow when the network has been compromised.
As in many technology-intense business sectors, suspicious emails should be sent to the IT department, where they can analyzed to determine if they contain malware.