Guest Column | January 23, 2018

Protecting Physician Practices From Cybertheft Takes More Than A Do-It-Yourself Approach

By Chris Walls, Pulse Inc.

Medical Device Cybersecurity Secure Design

Protecting patient data has become as important as protecting patients’ lives in an era of increased cybersecurity threats in healthcare, particularly for physician practices, which are especially vulnerable to attack.

Today, many physician practices subjected to a ransomware attack pay the fine simply because they can’t afford disruptions in care when patients’ lives are at risk. With a 50 percent increase in healthcare cyberattacks this year, all healthcare organizations are a potential target. But physician practices, especially smaller practices, typically do not have the resources to afford large, complex data storage centers or dedicated IT staff to keep up with installing the latest security updates.

A do-it-yourself approach to IT security is no longer sufficient for physician practices. Instead, a proactive approach to data security should include the following best practices.

Strengthen your cloud capabilities. Cloud technology offers access to the latest security tools and patches, and is an economically affordable approach to cybertheft protection. Seventy-five percent of healthcare providers plan to use cloud technologies within a year, according to a 2017 HIMSS survey. But not all cloud applications are equal. Some offer higher levels of security protection than others.

Practices should keep these key security considerations in mind when investing in a cloud solution:

  • How often does the cloud vendor scan its software applications for threats? Some vendors perform continuous scans; others scan software monthly.
  • What is the vendor’s disaster recovery and data backup plan? When patient information is at risk, you need a cloud solution that ensures critical data is always available, with clear back-up procedures in place, including back-up to a server in another location.
  • How does the cloud vendor report security incidents—no matter how small—to the client? Given the sensitivity of the data you are protecting, total transparency is critical.
  • How will the cloud solution integrate with other cloud applications your system uses, such as those used by the hospital you service? Interoperability is key. Make sure the cloud solution you choose supports collaborative care with other providers across the continuum as well.

Invest in a hybrid solution: a part-cloud, part-on-premise approach. Some legacy systems do not lend themselves to a cloud approach as well as others. A recent survey of IT decision makers found 91 percent believe their organization’s cloud capabilities are limited by legacy network infrastructure, which limits their ability to leverage cloud applications’ full potential. Additionally, some cloud solutions are less economical than others, and it may not be financially feasible for a physician practice to turn all its data and software applications to the cloud.

When deciding which applications should be cloud-based, physician practices must weigh the benefits according to three factors:

  • The sensitivity of the data being protected. Start with high-risk data to provide an extra layer of security and ensure access to sensitive information when seconds count.
  • Compliance requirements. Some applications require a higher level of security than others. Look for a cloud provider that meets HIPAA compliance requirements and has significant experience in working with physician practices of all sizes and types.
  • The physician practice’s existing systems and its goals for using the cloud. For some practices, the ability to access patient information in real time in a variety of locations and from multiple types of devices is a deciding factor for cloud investment. Cost and IT requirements also are important to consider. Can your physician practice’s existing infrastructure support a cloud solution? Will the application reduce costs for your practice through economy of scale, and if so, to what extent? Seek feedback from staff throughout the cloud vendor vetting process to ensure selection of the right solution for your practice.

Conduct a security risk assessment to determine your practice’s greatest security vulnerabilities, and determine your approach based on the findings. This is a significant step in a heightened-risk environment. A large physician practice may be able to conduct a risk assessment using its IT staff and online risk-assessment tools from HIMSS or the Office of the National Coordinator for Health IT as a guide. Small practices should hire a security services provider to make this assessment. It’s important to conduct an IT security risk assessment once a year.

Additionally, reach out to the vendors you currently use and ask them to make an assessment for free. This feedback could supplement a paid assessment while providing a relationship-building opportunity for the vendor. Recommendations from a trusted vendor could then inform your organization’s approach.

Protecting Your Practice—And Your Patients

In an era where the value of medical data makes physician practices an easy target for cyberthieves, physicians can’t leave their IT security to chance. It’s no longer enough to hire a single IT resource to manage protection of patient data. The number of new threats continually emerging means everyone in the organization—from practice leaders to front-desk staff—must be empowered to protect their data from attack.

Ask the IT vendors you partner with for tips on best practices and suggestions on better protecting IT systems, the inside of your facility and your external perimeter from attack. Vendors visit multiple healthcare organizations each month and will have their pulse on emerging threats and best practices for protecting your organization’s data. Be open to evolving your approach as the environment changes. Staying nimble will better position your practice to respond with agility when new threats call for quick response.

About The Author

Chris Walls is President and CEO of Pulse.