Building a Culture of Cybersecurity to Protect Your Patients, Data, and Practice

by Dana Lawrence, MAFP Director of Communications & Member Services

I was at a family reunion on a Saturday afternoon in July when I received an email from MAFP’s CEO, asking me to immediately complete an ‘important task.’ My first instinct was to respond quickly, taking whatever action was needed. When your boss asks you to do something, you do it, right?

Fortunately, my gut kicked in, raising red flags of warning. The wording in the request was not typical of Karlene, and I knew she was more likely to be spending time with her family over the Pure Michigan summer weekend than emailing me. Upon closer inspection, I deciphered that the email address was not hers at all, although it appeared to be at first glance.

I later learned that MAFP had been the target of spear phishing—a tactic employed by cyber criminals to collect valuable information or gain access to a network or system. It entails the attacker researching an individual or organization to learn important details that can make the email appear plausible. Unsuspecting targets click a link, open an attachment, or visit a malicious website, opening the door for a cybersecurity breach.

Healthcare Industry at Risk

Over the past year, security breaches  in the U.S. increased 11%,1 with 91% being the result of phishing.2 Nearly four out of five breaches involved a healthcare professional or organization, affecting one in every 10 healthcare consumer.3

“Healthcare professionals hold valuable information—birthdates, social security numbers, credit card information, email addresses—that can be sold for top dollar on the dark web or used to open lines of credit, make purchases, steal identities, or commit insurance fraud,” said Scott Taber, cybersecurity awareness program specialist at the Michigan Small Business Development Center.

Mr. Taber is preventing a CME session on cybersecurity at the 2020 Michigan Family Medicine Conference & Expo in August.

A breach can also entail ransomware—when an attacker infiltrates a computer or network to block users’ access to critical information and systems, such as an  EHR, until a ransom is paid. The FBI does not support paying ransom, as doing so does not guarantee an organization will regain access to its system or data.

Whether your practice is big or small, or you are independent or employed by a large hospital or academic system, you are equally at risk for a cyberattack. While an attack is always inconvenient and costly, it also has the potential to impact patient health when it occurs in the healthcare sector. At a minimum, workflow is disrupted. The stakes are much higher when an attack blocks clinicians’ access to patient records necessary for care delivery, alters how, or if, a medical device is working, or forces a practice to close.

“Cybersecurity has expanded the scope of patient wellness to include protecting technology, networks, and databases that enable uninterrupted and accurate patient care. This includes securing computer systems, protecting data, and training personnel to be cyber-vigilant,” advises the U.S. Department of Health and Human Services.4

Security is Everyone’s Concern

So, what can you do to guard your technology and data and protect your patients?
 
“The key is to build a culture of cybersecurity. Security transcends all areas of business and individuals’ personal lives, online. Effective security measures are balanced by the importance of the resource being protected. The more important the resource, the more layers of security should surround the resource,” said Lonnie Decker, PhD, associate professor and department chair of Davenport University’s College of Technology in Grand Rapids, Michigan.

Davenport University recently received a five-year, $4 million grant from the National Science Foundation to train and educate the next generation of cybersecurity experts.

Train, Train, Train

Employee training is the first line of defense and should be ongoing.

“Security is a process,” explained Dr. Decker.

Beginning at orientation and continuing through ongoing workshops and tabletop exercises—especially as policies and procedures are continually reviewed and enhanced—it is essential that every team member is educated about:

  • Where the organization’s data and technology are stored and who has access; ownership is important—if you share data in the cloud, who owns it? The fine print is important!
  • The organization’s basic security practices (e.g., how to use spam filters to prevent harmful email) and policies that everyone must follow (e.g., requiring pre-approval before downloading software)
  • How to protect against attacks (see below)
  • What attacks look like (see below)
  • What to do if an attack is suspected (see below)

Identify

“You have to know what you need to protect, before you can protect it,” said Mr. Taber.

This entails identifying and keeping an up-to-date inventory of your organization’s technology, including manufacturer, make, model, serial number, and software version that is installed and running.

When taking inventory, consider your organization’s WiFi, routers, firewalls, mobile devices, email, file sharing, copiers, printers, fax machines, cloud solutions, VPN, switches, USB, website, social networking, point of sale, and third-party vendors.

Protect

  • Treat emails that request private information or include an urgent call to action as suspicious
  • Never click on a link or open an attachment in a suspicious email or from an unfamiliar sender
  • Use strong/unique passwords, change them regularly, and store them in a protected password manager application, never in a spreadsheet or document stored on the computer, or written down anywhere—especially near the computer!
  • Implement multifactor authentication
  • Install and regularly update virus and malware protection software and a professional grade network firewall on all devices that connect to the Internet
  • Regularly update your operating system, web browser, and email filter
  • Wipe a device’s hard drive before disposing of it
  • Delete unneeded apps and update existing apps regularly
  • Continually back up data to HIPAA- compliant storage that is not connected to the same network as the primary source of data; regularly test and verify backups by restoring a test file—rule of thumb is to set this at an interval where you would be able to survive the loss of the data between backups
  • Ensure devices have application level encryption 
  • Restart devices weekly to apply updates
  • Lock devices when you leave them
  • Limit access to protected information to only those who need to view or use the data

Detect

The quicker you know about an attack or breach, the quicker you can mitigate the impact.

  • Did you receive an unsolicited phone call, email, or text  that  requests urgent action or the sharing of private information?
  • Is email wording unusual and are there misspellings?
  • Does a URL appear legitimate at first, but after a closer look have the wrong domain (e.g., .com versus .net) or an extra letter?
  • Is your computer suddenly running slower or have new icons?

Respond

  • “Too often, organizations don’t establish an incident response plan until there is an attack, which drastically slows down the response and recovery time,” said Mr. Taber.
  • Every response plan should include guidance for, among other things:
  • Disconnecting affected computer(s) from the network
  • Notifying the IT security team, whether that be internal staff or a third-party vendor; if you see something, say something!
  • Informing law enforcement, your organization’s attorney, and filing a report with the Federal Trade Commission
  • Using a spare computer and back-up files while continuing to capture operational data
  • Switching to paper, if electronic records are unavailable
  • Documenting lessons learned so you can improve security policies and procedures
  • Adhering to Michigan’s data breach notification law

Mr. Taber also recommends penetration testing. “At least once a year, hire a third party to simulate real-world attack scenarios to discover and exploit security gaps at your organization. Can the tester get through the firewall or access the network? Is the tester restricted to accessing only the data they are supposed to have access to? Does staff click on malicious links in a suspicious email?”

Need help writing a plan? Consult the Federal Communication Commission’s Small Biz Cyber Planner 2.0 at to create a custom cybersecurity plan that addresses your organization’s specific needs and concerns.


This article is reprinted by Michigan Family Physician winter 2019-2020; it contains general recommendations that should not be taken as professional advice.

1 www.accenture.com/us-en/insights/security/cost- cybercrime-study
2 digitalguardian.com/blog/what-is-spear-phishing- defining-and-differentiating-spear-phishing-and- phishing
3 blackbookmarketresearch.newswire.com/news/ healthcare-data-breaches-costs-industry-4-billion- by-years-end-2020-21027640
4 www.phe.gov/preparedness/planning/405d/ documents/hicp-main-508.pdf