• Protecting Your Practice from Ransomware and Other Cyberthreats


    Data security poses a significant challenge for health care practices. Following is a detailed summary of this Mid-Year Forum 2017 session on how ophthalmology practices can protect themselves from ransomware and other cybersecurity threats.

    Abstract

    With rapid adoption of electronic health records and other clinical information systems, clinical and financial data are stored electronically. In this environment, no one can afford to take cyber security lightly. There have been many high-profile cases of data security breaches, cyber ransomware, hacking of computers or medical devices and loss of productivity. This is an important topic that affects all practicing physicians. This session provided background about this topic, the seriousness of these threats and actions you should take to protect your patients, your practice, and yourself.

    Background Information

    The need for cyber security continues to grow as we have an increasing need for protections from internal and external threats. The health care field continues to top the industry list for the number of data breaches. The majority of the data exposed from breaches are also in the medical/health care area.

    Ransomware as a means of income for hackers is also growing as the convenience of payment is often easier than dealing with an environment that had not planned for an attack. With the use of ransomware, a hacker has the ability to negatively affect the productivity of your practice with a shutdown of your computers and medical devices.

    In order to effectively prepare for cyberthreats, we must employ a multi-layered approach to security and protection. The use of firewalls, antivirus, encrypted devices and monitoring systems are a critical part of the protections. Staff training and education, proper cyber insurance coverage and periodic analysis of vulnerabilities in your practice must also be done on order to protect yourself and your patients.

    Summary of Comments from Guest Speakers

    Introduction

    Michael Chiang, MD – Trustee-at-Large, Academy Board of Trustees

    • We have a goal of anytime, anywhere access to data.
    • Medicare evolving model from fee-for-service (quantity) to value-based purchasing … increasing the use of data-driven systems.
    • With the increase in data access and convenience, we have more exposure to risk.
    • With the wider use of EHRs, mobile devices, email/SMS and computer systems, we need to be more responsible about computer security.

    Cybersecurity 101 for ophthalmology and physician practices

    Ravi D. Goel, MD – Comprehensive Ophthalmologist, Regional Eye Associates, Cherry Hill, N.J.

    • The days of using paper for patient health care are coming to an end. To effectively perform the new requirements needed for our practices, you need computer-based systems.
    • Make sure that you know who is providing your IT support (and be able to reach them in the case of an emergency).
    • Make sure that you understand your backup policy (where is your data backed up, who backs up your data and how often).
    • Secure your desktops that use the internet.
    • Perform a security risk analysis and make needed improvements.
    • Put in place effective cybersecurity policies to minimize the risk of hacking.
    • Encrypt your mobile devices and secure your Wi-Fi networks.
    • Do not outsource your cybersecurity.

    How to protect yourself

    Jeff Daigrepont – Senior Vice President, Coker Group

    • While the use of health IT is improving quality of care and reducing errors and cost, it is critical that the privacy and security of patient health information is a top priority.
    • All storage locations and communication of patient health information must be protected with encryption (desktop, mobile, computer center, cloud).
    • We face numerous threats from a cyberbreach that can have a far-reaching impact on your patients and your practice.
    • Make sure that you understand the balance of security versus privacy (security exists without privacy, but you can’t have privacy without security).
    • Do not underestimate the value of your staff adhering to good practices to protect your environment…most attacks rely on poor judgement of the end user.
    • Make sure that you staff is trained to look for threats such as ransomware, social engineering, phishing and suspicious websites.
    • Keep your security software and systems up to date.

    Liability, regulation and risk management

    Mike Karbassi – Vice President-Northeast Region Underwriting Manager, NAS Insurance

    • Medicine/health care leads data breaches by industry (36 percent of all breaches); 67 percent of the data exposed is from medical/health care breaches.
    • The three biggest causes of breaches are phishing/hacking/skimming (55.5 percent), accidental exposure (9.2 percent) and employee error (8.7 percent).
    • Make sure that you have risk management controls do you have in place to prevent a breach event.
    • Be sure that you understand HIPAA regulatory defense and penalties.
    • Make sure that you understand first-party and third-party liability exposure.
    • Some typical cyber liability claim scenarios and trends involve mistakes made by employees, credit card skimming, unprotected patient data and viruses/ransomware/malware.
    • Assure that your cyber liability policy appropriately addresses your firm’s exposures.
    • Learn the essential coverage components of a robust policy.
    • Know what to do when you have a breach…and how your cyber liability insurance policy will work for you (review your policy).
    • Manage your risk with comprehensive employee training, effective password management, proper encryption, secure networks, security/antivirus software and appropriate access-level security.

    Cybersecurity: Observations and Conclusions

    Bradley Fouraker, MD – Board Director, OMIC

    • Responsibility for protecting patient information is on us.
    • We see increasing problems and risk with cybersecurity.
    • Protections need to be a growing part of what we do.
    • Recommended the increased use of encryption (email and devices) and better password management to protect systems and data.
    • Recommended the use of third party antivirus and firewall software.

    Summary of Audience Comments

    What are your recommendations on encryption and password management (devices, software, policies)?

    • We recommend that you implement encryption on your devices.
    • Most EHR vendors have encryption built into their products.
    • Make sure that your emailed patient information is encrypted.
    • Do not send patient identifiable health information via text message (if you must, make sure that your device is encrypted and locked.  If you must text, use a HIPAA compliant messaging app like HipaaBridge).
    • Use a password generator/manager to create complicated passwords and access them easily (Dashlane or LastPass are products that can be used).
    • Create complicated passwords and change them regularly.

    When we respond to email by sales reps, are we being phished for sales calls?

    How much cyber insurance do we need?

    • It depends on a number of factors…including the number of patient records you are storing. One million dollars is good for small practices (1-3 ophthalmologists). $10-30 million of coverage would be good for larger practices. Make sure that your cyber insurance for your EHR is adequate as well. Many of them have policy amounts are too low to handle an incident.
    • The rates for cyber insurance have dropped significantly over the years…please check into getting adequate coverage.

    If I use my home PC to access patient records and I get ransomware for $100, what should I do?

    • You should restore your PC from a backup if possible. You can also consult a third party that may be able to help remove the ransomware. A ransomware request for a home computer may be $100-$1,000. To help with assuring you have a good backup, use an external hard drive (store the backup at a secure location) and backup software on a regular basis.
    • Check with your EHR vender to make sure that the system does not transfer any patient health information your home computer if you use it for work functions.

    We know that we should not send patient health information via email unencrypted, what do you recommend?

    • Use some of the built-in security features of Microsoft Outlook or upgrade to an enterprise level email system like Office 365 (which allows encrypted email).
    • Do not use the free Yahoo or Gmail accounts where there is no access to technical support and no standard encryption.

    How do you protect yourself from rogue employees?

    • You should install software/hardware to monitor your systems and network traffic to monitor for suspicious activity (and actually monitor the system).  Make sure that all staff have to log in to use system resources to assure better tracking and security of your office system.

    How do you get your team to stop sending you patient sensitive information to your personal email address?

    • Start process of shifting them to your work account…inform them that they need to use your work email due to cyber security reasons.

    We have employees that work from home…with the staff performance that we see from recent phishing tests (30 percent fell for the phishing…17 percent gave up their username/password), what should we do?  Should we issue them a practice computer for their home use?

    • Issuing a low-end laptop is common for users who work from home…some practices/companies do not allow the use of personal computers for work functions.
    • Your personal devices are subject to e-discovery and can be confiscated in case of an investigation if they are used to perform work functions
    • You should hire someone to regularly perform security tests to see if you have any vulnerabilities
    • You should also implement system monitoring software to regularly monitor your systems for vulnerabilities

    What are your thoughts on guest Wi-Fi?

    • This is a great benefit for the patients
    • This is also a great backup for your primary network if you have an internet outage
    • Make sure that your guest Wi-Fi network is separate from your internal network and uses a different internet provider.

    High-Priority Objectives

    • None

    Review more sessions in the Mid-Year Forum 2017 report.