Last month, TMA learned a South Texas member physician was the victim of a cyber attack in which a thief hacked into the physician's computer and demanded money in exchange for the key to access the encrypted information. Since then, TMA has been working to publicize steps you should take to safeguard your system from cyber attacks.
"TMA would like to again warn our members of cyber hackers and the possibility of ransom requests for the return of your patients' billing information and medical records," said TMA President Tom Garcia, MD. "Please consider reviewing your liability coverage to include this risk because it is a risk."
The Texas Medical Liability Trust (TMLT) includes comprehensive cyber liability coverage in all of its policies. TMLT also offers customized services to help large groups, small offices, and individual physicians arm themselves against online threats. Learn more about TMLT's cyber liability coverage.
TMLT compiled this list of 10 common causes of compromised patient data:
- Cyber criminals: Cyber attacks account for 45 percent of data breaches in health care organizations, according to the Ponemon Institute's 2015 Fifth Annual Benchmark Study on Privacy and Security of Healthcare Data.
- Lost or stolen portable devices: TMLT recommends using whole disk encryption on your mobile devices whenever possible and installing a remote wipe utility to erase all information from the lost or stolen device.
- Failure to use encryption: TMLT recommends encrypting all email, cloud storage, and Wi-Fi networks.
- Work culture and habits: TMLT urges practices to create a work culture that constantly promotes patient data security and privacy, as well as ongoing training in privacy and security for physicians and office staff. TMA Practice Consulting offers HIPAA training for your practice. For information, call (800) 523-8776.
- Data security that lags behind current technology: TMLT cautions practices not to rely solely upon antivirus/malware software but to take a multilayered approach and to work with information technology professionals who are familiar with the latest technology.
- No cyber security plan: TMA's on-demand webinar HIPAA Training for Medical Office Staff provides training on state and federal HIPAA compliance for medical offices. TMA's Policies & Procedures: A Guide for Medical Practices includes a comprehensive, customizable HIPAA and HITECH privacy and security section.
- Careless use of passwords: TMLT says medical office staff and physicians should avoid sharing passwords. TMLT suggests using multifactor authentication and avoiding password-reset questions that cyber criminals could answer easily by researching you or your family.
- Unsecure Wi-Fi networks: TMLT says practices that must use a public Wi-Fi network should install a virtual private network encryption tool and protect Wi-Fi with a secure password. In addition, use a secure network that is configured with a firewall and encrypts all data.
- Legacy systems: Relying on outdated computer systems, or legacy systems, to store data makes you an easy target for hackers. TMLT suggests routinely performing security risk assessments that include your legacy system to uncover possible data breach risks.
- Cloud storage: Ensure any cloud storage provider you are considering offers secure storage and meets HIPAA compliance requirements. Know their security protocols and if they are willing to sign a business associate agreement. Avoid storing protected health information, personally identifiable information, and financial data on cloud-based services that are not covered by a business associate agreement.
For additional guidance, check out TMLT's slideshare on cyber security best practices.
TMA says physicians should protect themselves against ransomware and other malware by making sure their computer systems are backed up regularly to an external drive or backup service. In addition, physicians should consider setting up their email accounts to deny emails sent with executable files (.exe file extensions), patch or update their software regularly, and enable automatic software updates whenever possible. Computer systems should have a reputable antimalware software, as well as a software firewall to help detect threats. Taking these precautions should allow you to avoid infection or quickly recover from a malware attack.
Unfortunately, health care entities are a popular target for cyber criminals. Eighty-one percent of health care executives say their organizations have been compromised by at least one malware, botnet, or other cyber attack during the past two years, and only half feel they are adequately prepared to prevent attacks, according to the 2015 KPMG Health Care and Cyber Security Survey. More concerning, 16 percent of health care organizations said they cannot detect in real time if their systems are compromised.
Malware is the most frequently reported line of attack, cited by 65 percent of KPMG survey respondents. Botnet attacks, in which computers are hijacked to issue spam or attack other systems, and "internal" attack vectors, such as employees compromising security, were cited by 26 percent.
Areas with the greatest vulnerabilities within an organization include external attackers (65 percent), sharing data with third parties (48 percent), employee breaches (35 percent), wireless computing (35 percent), and inadequate firewalls (27 percent).
If you are the victim of a cyber crime, report it to the FBI.
For more information, read "Cyber Crimes" in the July 2014 issue of Texas Medicine.
Action, April 15, 2016