Seventy-four breaches of protected health information from hacking incidents were reported on the Department of Health and Human Services “Wall of Shame” from January to September 2016. Many of these were related to someone hacking a network server. They affected both large and small providers and impacted well over 10 million patients.
Medical practices can take a number of steps either on their own or with the help of IT firms to make it more difficult to hack into a practice’s computer files. Jason Karn, chief compliance officer at Total HIPAA Compliance, said there is some low-hanging fruit a provider can “sit down and do on a Saturday” to safeguard their electronic devices.
The first is to use firewalls. Most computers have built-in firewalls that Karn said are “OK” and can be set with varying levels of strictness for authorizing incoming connections. To go a step further, providers can use next-generation firewalls. Along with controlling access into a system, Andrew Plato, CEO of Anitian Corp., said these tools are application aware. This means they not only know traffic is coming and going, but they can differentiate among programs. IT professionals would need to be involved in setting these up. “They are complicated pieces of technology and require care and feeding,” Plato said.
Many people click on the “remind me later” button when a software update pops onto a computer screen, but this should not be the case. “Hackers are out there looking for easy prey … and if someone hasn’t updated a browser there are holes there leaving them open to an attack,” Karn said.
Most programs will send an alert when an update available, and staff can either accept updates on a case-by-case basis or create a blanket authorization to update each time. Managers can empower staff members to do their own updates, but Karn recommends appointing a person to do monthly audits to ensure all devices are current.
It is important to have staff members dedicated to security efforts, but they should not be used as a crutch. If managers pass this task entirely to staff members, there is always a chance they will not do their job and let things fall through the cracks.
“Security is not an easy thing to do and isn’t necessarily getting easier,” Plato said. “It’s something the whole organization needs to acknowledge.”
A number of other security measures can be put in place beside firewalls and software updates, but they require external IT services. One is an active directory service. The purpose of this program is to ensure that anyone who accesses the network has firewalls and their software is updated. It basically checks that others are doing what you should be doing internally.
Another option is segmenting your internal network. This breaks devices and systems into groups to create some separation. So, if a machine has a problem, it can “close the doors” and isolate it so the whole network is not affected, Plato said.
The next level up is end-point security. This tightly controls access to devices and systems. It only gives users the right to get into programs they are required to access to do their job.
If you are working with an IT group that is going to install programs like firewalls, manage your server, create backups, and take care of issues that arise, expect to pay about $1,500 a month, depending on the size of the office. Karn said this should encompass a lot of the “pain points” for a small practice.
This may seem like a lot of money, but considering the cost of breach mitigation, it is a pretty good deal. The price for making amends is estimated to be $250 per record and that does not include any expense associated with patient lawsuits and state medical board audits, should these occur. Studies have also shown, there is nearly a 50% attrition rate for patients after a breach, Karn said.
Tips to avoiding hacking:
- Use a different – and challenging – password for all websites. Password management programs can make this an easier process.
- Use software and hardware firewalls.
- Update your software regularly to reduce its vulnerability to hacking.
- Create access controls so staff is only allowed into necessary programs.
- Implement malware-detecting software.