Independent medical practices are being increasingly targeted for cyber security attacks like ransomware. The number of hacking incidents reported in healthcare climbed for the fifth straight year in 2020, according to a recent article posted on Forbes (6/7/21), jumping 42% in 2020. Hacking incidents comprised more than half of all last year’s patient data breaches — 62% — up from 2019. Left unchecked, these attacks will disrupt patient services, cause data leak breaches, result in financial and data loss, and potentially end in legal or oversight actions. Rather than being overwhelmed by these threats, your practice can minimize its exposure and maximize data integrity by taking action now with the following ten best practices in cyber security.
While one single action cannot eradicate the likelihood of an cyber attack, we have found that the following strategies can significantly boost security and protect all types and sizes of medical practices.
1. Hyperlink Hygiene
Phishing emails are still one of the top cyber security attack vectors. Links, images, and attachments have become gateways for viruses to penetrate systems through simple clicks and downloads. Today’s technology allows bad actors to create very believable ‘spam’ emails that carry malicious code within images or links undetected by users. Even more damaging are spoofing emails that appear to come from within your organization. Often disguised as originating from a director or administrator, spoofing emails prompt the recipient to make an emergency payment or take some other immediate action, which then creates a vulnerability often system-wide.
Every medical practice should have a robust email filtering system with proactive and defensive rules to block suspicious emails like the ones we have mentioned already. Settings in your email security vendor can also block spoofing and require proof of a sender’s authenticity.
Web browsers like Chrome, Firefox, and Safari can also provide hackers a path to corrupting your systems. Browser redirects, pop-ups, and in-site advertising can mask subtle or hidden hyperlinks to unknown and dangerous URLs (websites). These websites serve malware to end-users, which can easily move upstream to the network servers. To combat this hacker strategy, implement browser controls that block advertisements, extensions, and malicious or suspicious sites to limit exposure to these types of intruders. Group policies in Active Directory can also be used to control browser behavior. In addition, some organizations may choose to enforce company browser accounts like Google Business accounts. Then private profiles on browsers are eliminated and browser management can be performed administratively.
2. Restoration Resiliency
Regardless of our best efforts, computers can fail and data can be lost. Medical Practice Policies should always include Data Backup and Business Continuity & Disaster Recovery plans. Backups, and all other critical functions of your network, should have redundancy and native encryption. These data backups should also be automated, frequent, tested, and monitored for any inconsistencies or suspicious activity.
Every organization should create a set of policies and plans for steps to take in case of an event or emergency. Leadership and key personnel should know their responsibilities and tasks if there is a break in business continuity. Chains of command and communication should be planned and well-documented on paper in addition to any electronic documents. The same applies for Business Continuity and Disaster Recovery plans. In the event that your systems and network are offline, you do not want to discover that you’re carefully made plans were lost in a breach or otherwise unavailable, further compounding the effects of the disaster.
These contingency plans should include the actionable details to restore and reconnect to your data as a high priority for your practice to get back to patient services. Therefore, these plans should be designed in coordination with your IT support to identify the best solutions for your organization. Recovery and restoration aligning with your Business Continuity Policy should be tested proactively and regularly.
3. Staff Training
A well-educated staff at all levels of the organization is one of your best protections against cyber attacks. Providing monthly or quarterly staff training can be cost effective and morale boosting (e.g., staff can apply the education in their personal online lives, too). In 2021, the average cost to an organization to restore systems and data after a ransomware attack was nearly $2 million. Increase organizational awareness of the fact that high level and high profile personnel are more likely to be targeted in cyber attacks and more in need of in-depth training and protective measures. Consider providing both basic staff training and executive level training to increase organizational awareness and develop a deeper understanding of overall potential problems and solutions to cyber attacks.
Recognize that cyber security defense training is just as critical and effective as all other forms of training that your staff receives. Staff training should, at minimum, cover the following:
- HIPAA digital education
- email attacks
- hyperlink and redirection attack
- online hygiene
- threat and mitigation communications
- authentication protections like MFA (multi factor authentication)
Breaking up training into these different modules and providing quarterly training can be more palatable to staff and management alike, which aids in providing fresh material throughout the year.
4. Security Risk Assessment (SRA)
SRAs take an analytical and unbiased look into your current network posture. They allow your organization’s leadership to set resource priorities to mitigate detected vulnerabilities. They also remove the emotional approach to fixing network issues (like the inevitable “pet” project). Finally, Security Risk Assessment’s provide a roadmap for mitigation continuation so that your practice is constantly increasing its security posture. Learn more about PEAKE’s approach to SRAs for Medical Groups.
Creating and maintaining a secure network necessitates well-developed and strictly adhered to policies. Policies are the documented standards established and maintained by organizational leadership as the baselines for how to conduct all aspects of their business, including cyber security defense. Policies should be reviewed annually or when network and organizational changes occur to keep them up-to-date and to ensure that your technology aligns with your policy.
Policies should cover, at a minimum, the following:
- Passwords and authentication for all users
- Internet use, access, and privacy
- Technology and device use
- Data, system, and network protections
- Data recovery and Business continuity plans
Every critical function of your Medical Practice should have technical redundancy whenever possible. Redundancy will minimize or eradicate single-points of failure. Minimal redundancy will include the following:
- Access to the Internet – 2 lines
- Servers that house data and applications – virtualization and image level backups provide redundancy
- Backups – this is usually implemented with a network appliance and cloud replication
Talking to your leadership and staff about current threats facing your industry ensures that personnel are aware of the digital landscape and any new threats that may be looming in cyberspace. Round-table discussions are great ways to role play or enact Business Continuity and Disaster Recovery plans to ensure comprehensiveness and relevance. Having a live channel of communication for cyber-related questions and concerns will promote dialog that helps boost personnel engagement. Regular communication amongst staff and stakeholders can serve as effective reminders that security is everyone’s responsibility.
8. Defense in Depth
The best network and data protection is achieved through multilayers of defense. There should be no point on your network that is accessible directly from public Internet space; everything should be positioned behind multiple protection mechanisms. This is implemented with the help of your IT support company and should be discussed in detail with them to ensure that defensive measures are employed in every area of your domain.
One critical layer of defense is a robust monitoring system that alerts your IT Support team when there is an event that needs mitigation. Monitoring should exist for network devices, servers, backups, email filtering systems, anti-virus agents, and workstations – and alerts should flow into a central ticketing system so that issues can be addressed.
Medical practices have both the means and responsibility to provide the best security against hackers and other malintents. Using these strategies, reinforced with provider support like PEAKE Technology Partners ensures
Cyber Defense Whitepaper
Recommended action for any medical practice to mitigate the risk of cyber attack. [Download Whitepaper]