Are You Cybersecure?
From backing up your security software to encrypting mobile devices, here’s a physician’s guide to keeping your practice safe from virtual or physical threats
Ravi Goel | | Longer Read
At a Glance:
- Ophthalmologists are increasingly dependent on electronic health records, which makes practices vulnerable to cyber threats
- A security risk analysis should be performed by the practice’s key leaders. Practices should assess their relationship with vendors, subcontractors and electronic health record (EHR) companies
- Establishing a secure culture, aimed at protecting both the virtual and physical ways of accessing patient data, is paramount
- Online cyber security modules are helpful to ensure best practices to protect the practice’s network and hardware infrastructure.
Every industry has its “good old days.” In sports, it was the 1920s, when games became the cornerstone of American life. In film, that golden era lasted five decades – from 1929 until the ‘60s. But in medicine? That’s a little more subjective. If you ask me, the “good old days” were during residency and my first years in practice in the early 2000s. Why? Because that was when a physician could find out everything they needed to know about a patient – from their visual acuity to the date of their last visit – on a single piece of paper. Now things are a lot more complicated. The same patient’s electronic health record (EHR) is seven or eight pages long, complete with forms, drop-down boxes and click buttons. There are sections dedicated to everything from dry eye to LASIK – with diagnoses taking even longer to input. A recent study by the American Medical Association (AMA) found that for every hour a doctor spends in clinic with a patient, they spend two hours at home on the EHR (colleagues across medicine refer to this as “pyjama time”). But time – or lack thereof – may not, in fact, be the biggest challenge tied to online record keeping. The under-appreciated and often hidden title belongs to cybersecurity.
Famed investor, T. Boone Pickens, once said his secret to cyber security was a yellow notepad (and thus a pen over a stylus!). In a society dealing with increasing challenges with data and privacy breaches, many believe that the only way to stay safe online is to not be online at all. But that’s not feasible for those of us in healthcare. Electronic health records are an essential part of modern ophthalmology. EHRs have often simplified access to patient information through remote access. With these benefits, EHRs have also made practices vulnerable to cyberattacks, with 83 percent of physicians having experienced some form of online threat (1). Of those, 55 percent were targeted by phishing, 48 percent by viruses or malware and 9 percent by ransomware. As physicians, we know we have to protect our practice and patient information from virtual thieves, too. But where do we start? The first step is knowing what measures you already have in place. You can do that with a security risk analysis.
Identify, assess, document
The purpose of a security risk analysis is simple – to identify potential threats, determine the likelihood of a threat occurrence, and assess and document existing security measures. It is important that the main leader in the practice performs the analysis – not a vendor, website provider or EHR provider. Because there are a significant peripheral health information that could be vulnerable to attack, the safer, smarter, and efficient method is to perform the analysis yourself. You can find a free analysis tool online at healthit.gov, along with a list of practical cybersecurity tips (Table 1), but we will get to that later. You will also be required to assess your practice’s relationship with vendors, subcontractors and EHR companies, or – more generally – anyone who deals with patient information. The analysis is an essential step in protecting you against online threats – not least of which is ransomware. Remember, 9 percent of practices in the United States have been held to ransom – and you don’t want to be one of them.
Ransomware takes many forms, and can make its way into your computer in the most innocuous of ways. All it takes is for someone to go online and click on an unsafe link– and it can truly be anything, from an email to a pop-out box – for the website to begin infecting every file on your computer. If you want to access those files, you will have to pay a ransom to receive an unlock key. This happened to major health care system, the Hollywood Presbyterian Medical Centre in California, a few years ago. One morning, they walked into the office and found their entire healthcare system had been shut down. The hackers said they could have access to their computer systems back if they gave them 20 bitcoins, which were worth about $70,000 at the time. Had they asked when bitcoins hit their peak valuation, that number would have been closer to $4 million. Of course, not all ransomware cases are this extreme. Often, the ransomware asks for an amount a practice can afford to lose and less than the cost of a new system. The problem is that the ransomware will continue baiting, unlocking and re-locking your system to force you to pay more.
But malicious links aren’t the only form of cyberattack you should be aware of. Job listings can also open your practice to outside threats. Say a potential employee emailed their CV to your practice. If you, or one of your colleagues, were to download that file, not knowing it contained malware, you could very well infect your entire computer system. Data breaches can also occur from within. Here’s an example: a former US President had surgery at a major medical center. An employee at the health system who was not involved in his care inappropriately accessed the VIP’s laboratory information. Though the practice was able to identify the perpetrator, the damage had already been done.
Establishing a secure culture
Of course, knowing which threats exist is not enough to stop them from happening. According to healthit.gov, to truly protect patient information, you need to establish a secure culture – and that means using a firewall, installing and maintaining anti-virus software, using strong passwords and, most of all, planning for the unexpected (you can find a full checklist in Table: Healthcare Tips). Though all of the tips concern your cyber health, number 7 – control access to protected health information – is a good reminder that physical access to patient information should be controlled as tightly as online access. Say someone walked into your practice today – would they be able to physically steal your server? What about the mobile devices your team use to access patient information on the go – are they secure? These are the kind of questions you need to ask your practice.
If you need more information, take the Cyber Security Module on healthit.gov. It gives you possible answers to common scenarios like this one:
Imagine you attend a conference and learn about the importance of securing your office network and hardware infrastructure. How do you proceed?
i) do you research network security to select the best configurations for the needs of your office?
ii) buy the hardware and software to secure the network and ask around for someone to do the installation?
iii) ask technical support to access your current network configuration, recommend and explain operations and improvements to secure your network before getting the cyber office manager to secure it?
The correct answer is number three. If you didn’t get that right, try some of the other questions online.
From one physician to another
So with all this in mind, here are my six practical pearls for a safer practice, based on my own experiences as an ophthalmologist.
1. Who is your IT guy/gal?
Could you text that person if there was a problem with your system on a Saturday morning? That’s the kind of relationship you would ideally like to have with your IT and cyber-security provider.
2. Who backs up the data and how often is it done? Is it done on-site or offsite?
In my personal practice, we have a server-based system. We make a point of knowing who backs it up and how often. In case of a fire, what would happen to those servers? How is the data secured? If it is backed up in the cloud, how secure is that?
3. Does your team use Internet from desktop or servers?
In my personal practice, we use dummy terminals which means there is no patient information on the desktop. Instead, data is kept in a server, which we access remotely. That way if someone were to steal the computer or the hard drive, they wouldn’t be able to access any patient information. Another benefit is that any potential malware should only affect individual computers, not the remotely accessed server.
4. Are all mobile devices encrypted and Wi-Fi secure?
Patients want free Internet when they come to the office. If you’re able to offer Wi-Fi, make sure patients access it through a separate login to protect your data. Why not also treat it as an opportunity to get new patient reviews? Direct patients to a feedback form on your practice homepage via the login. It’s a win-win.
5. How often is your security software backed up?
The ideal answer is: often. And don’t ignore software security notifications. Updates are critical to protecting your practice.
6. Don’t outsource your cyber security.
This is the most important pearl, especially in terms of MIPS (Merit-Based Incentive Payment Systems). If you practice in the United States and would like to participate in MIPS, you must do the security analysis properly. If you don’t, you may not pass your EHR audit.
Outside the Practice
But cybersecurity goes beyond the four walls of your practice. To make sure your practice is protected against any eventuality, you need to protect your website, too. Take a look at these bonus pearls for tips on improving your website security:
1. Is the PHI collected on your website cryptic?
2. Are your forms HIPAA compliant – including comment boxes?
3. Do you have BAAs (Business Associate Agreements) with your vendors?
Don’t underestimate the importance of this – it is where 62 percent of violations occur surrounding healthcare information.
4. Do you have consent for patient videos and testimonials?
Some states prohibit testimonials altogether. Check if you’re allowed to promote patient testimonials before obtaining consent.
5. Is the site SSL (Secure Sockets Layer) secure?
6. Are you ADA compliant?
Follow these six pearls and know you have done all you can to protect your practice. If you have your doubts, take the advice of a college classmate who became a computer science professor, “If there is no downside, there is an inherent upside.” This is one of those situations. You have nothing to lose by following these pearls, but everything to gain. So perform that risk analysis, install that firewall, speak to those vendors, do what you can to keep your practice secure – you may just thank me later. A perfect New Year’s resolution.
Ravi D. Goel is an ophthalmologist practicing at Regional Eye Associates, Cherry Hill, New Jersey, and Wills Eye Hospital, Philadelphia, USA