As we have highlighted in our previous articles, the COVID-19 pandemic has increased the likelihood of a data breach. Medical facilities have become some of the most sought-after targets for data breaches, this is in part because of the wealth of protected health information (PHI) available in your electronic medical record (EMR) systems. Following a breach of your EMR system, your patients’ PHI can be sold online by hackers leaving your patients vulnerable to fraud and identity theft.
Some common forms of cyberattacks you are liable for include, business email compromise (BEC), social engineering, phishing, malware, employee error, and ransomware. For a more in-depth look at each of these cyberattacks and how they may be employed against you, please see our previous piece on Top Cyber Security Risks You Face.
While the likelihood of a cyberattack is on the rise, there are still some simple steps you and your employees can take to mitigate this ever-growing risk and prevent claims. Below we have outlined just a few tactics you can use to reduce your risk and safeguard your data.
1) Two-Factor Authentication
Two-Factor Authentication (2FA) also known as Multi-Factor Authentication (MFA) is a cost-effective and easy way to safeguard your data. This method protects your practice by adding an additional layer of security when logging into secure portals. A 2FA will send a code to your mobile device when you try to login to a secure portal. Since most successful data breaches stem from compromised login credentials, a dual-factor authentication prevents hackers from accessing your system since they will not have access to the employee’s cell phone. Some cyber liability carriers such as Tokio Marine HCC and Beazley help their insureds set up 2FA/MFA.
2) Employee Training
As much software protection as you add to your devices, the biggest liability for your cyber security is your staff. Well intentioned employees can make mistakes. Business Email Compromise (BEC) is the single greatest threat to your data security, and it relies on an employee’s work email being compromised and hackers using their authentic email to wreak havoc. BEC can occur when there are lax security measures within the company. This propensity for human error necessitates regular employee training. By providing consistent training, your employee will learn to identify threats to your cyber security and will not be bought in by phishing scams or other schemes that rely on social engineering.
3) Spam Filter
Outside of BEC, phishing is another common cyberattack that relies on social engineering techniques to gain access to your sensitive information. Unlike BEC, phishing emails will be sent from a fraudulent account impersonating one of your employees. If your employee receives an email from what they believe is a reliable source, they may let their guard down and unwittingly allow a hacker to gain access to your system. Most email servers have filters that can be enabled to automatically field suspicious messages and will keep them from getting to an employee’s inbox. Other email solutions that help reduce the risk of BEC and Phishing include Proofpoint, Mimecast, and Ironscales.
4) Offline Backup
Ransomware attacks have gone up 486% in the last two years alone, these attacks consist of hackers infiltrating your system and then holding your patients’ PHI for ransom. With regular offline backups, you reduce the damages of a ransomware attack and business interruption. If your information has already been stored in a secure secondary location, you will not need to pay a ransom to come back online, instead you can focus on getting your system back online and then restoring the information after the fact.
Anti-virus software is a vital component of protection. This software is designed to identify and block suspicious activity. Newer software known as, behavior-based security software scans devices for unusual activity and determines if this deviation is a threat. This method is superior to older anti-virus software since those rely on lists of known threats and do not offer real-time adaption to new tactics.
6) Routinely Evaluate Technology and Data Security Practices
Enhance safeguards to limit unnecessary or inappropriate access to and disclosure of protected health information. By routinely evaluating your system, you will ensure your practice is compliant with HIPAA and you enhance the likelihood of identifying a problem early on.
7) Limit Access to Privileges
Access from workstations and program should be limited to the appropriate level for healthcare professionals and be monitored and controlled to prevent unauthorized access.
8) Create HIPAA Compliant Contracts
For business associates who create, receive, maintain, or transmit electronic protected health information. Medical billing services, hardware and software vendors, external consultants, and lawyers should all be considered business associates.
The aforementioned security measures are a handful of ways you can better secure your practice’s data. For a more comprehensive guide on how to safeguard your practice’s data, please see Kite Technology’s- an IT management and consulting services company-Cybersecurity Checklist.
Most cyber liability insurance providers offer their insureds pre-breach services that help you institute comprehensive security measures. Contact your Professional Risk agent to learn more about the services your cyber liability carrier provides.