Cybersecurity Risks: 3 Ways Physician Practices Can Defend Themselves from a Cyberattack

Eighty-three percent of physician practices have experienced a cyberattack, an American Medical Association (AMA) survey found. When this occurs, it jeopardizes not only the security of sensitive patient information, but also patient safety.

Why are physician practices so susceptible to cyberattack? It’s partly because patient records are a rich source of personal and medical information, making them a hot commodity for internet thieves. Physician practices also often lack the resources to sufficiently protect their data from attack, including the funds to afford complex data storage systems, the bandwidth for effective backup and recovery, and dedicated IT staff to regularly manage security updates.

As a result, physicians are increasingly experiencing anxiety over their risk for cyberattack. Nearly 75 percent of physicians cited they are most concerned that such attacks will interrupt key business operations, including access to their electronic health record (EHR) as well as data security, the AMA survey shows.

How can physician practices shore up their defense against cyberattack? Here are three strategies to consider.

Conduct an audit of your practice’s cyber vulnerabilities.

Given the increased volume and intensity of cyberattacks that physician practices face, conducting an IT security risk assessment once a year is critical. According to the AMA survey, roughly half of physician practices now have an in-house security manager, the AMA survey found. These practices may wish to leverage this resource to conduct an internal security assessment using tools from HIMSS or the Office of the National Coordinator for Health IT as a guide. Small practices should consider partnering with a security services provider to perform this assessment.

Finetune cybersecurity defense skills among employees and physicians.

Seventy-one percent of cybersecurity incidents in healthcare involve employees, and 53 percent of these incidents are related to inadvertent actions such as errors, loss or theft of devices or records, and susceptibility to phishing attempts. But engaging stakeholders in cybersecurity defense is one of the toughest IT challenges any organization faces, according to a Verizon report.

It’s important that employees and physicians understand the impact of cyberattack on the lives of the patients they serve. Sharing stories of the ways in which cyberattacks impact patient safety and patients’ livelihood is a powerful tool for bringing physicians and employees on board with a practice’s cyber-defense initiatives. Combine a storytelling approach with practical tools for first-line defense, such as those found in this AMA checklist.

Explore options for cloud-based computing.

When physician practices don’t have a dedicated IT security manager, it’s not uncommon for these practices to fall behind in applying security patches and upgrades, putting the organization at risk. Cloud-based computing gives physician practices automatic access to the latest security tools and upgrades while providing enhanced data backup and recovery capabilities. But not all cloud applications are created equal. When evaluating cloud-based solutions and partners, key questions to ask include the following:

• How often does the cloud vendor scan its software applications for threats? Some vendors perform continuous scans, while others scan software weekly or monthly.

• What is the vendor’s disaster recovery and data backup plan? Backup procedures should include backup to a server in another location.

• How does the cloud vendor report security incidents—regardless of size—to the client? Given the sensitivity of the data you are protecting, total transparency is critical.

• How does the vendor meet HIPAA compliance requirements? At a minimum, the solution you select should be HIPAA compliant for electronic protected health information.

• Which security certifications does the vendor hold? Look for certifications such as ISO 27001 and Health Information Trust Alliance (HITRUST) Common Security Framework (CSF) Certified status.

Vigilance Is Critical

Just as some conditions require long-term care management, developing the right cybersecurity defense for physician practices requires more than a single “treatment.” Taking the time to diagnose your cybersecurity weaknesses, design a proactive response that involves physicians and employees, and regularly recheck your cybersecurity health is key to protecting your practice—and your patients’ safety and security.

For more information about how Pulse can help your organization today, contact us here.