Security Considerations for Dental or Medical Practices to Avoid a Data Breach
As a healthcare provider, you are responsible for providing the best possible care to your patients. In order to do so, you gather important details about them. Therefore, you are also responsible for protecting your patients’ sensitive information. This includes, but is not limited to, demographics such as birth dates and social security numbers, financial data, or health information such as medical conditions and test results.
Recently, Quest Diagnostics was in the news for a data breach affecting 12 million of their patients. This is just the latest in a series of several major security breaches in recent years. Although the Quest breach affected American Medical Collection Agency, a third party billing service employed by Quest at the time, it is Quest’s business reputation on the line.
Read on to find out ways your practice could be at risk and how to protect yourself and your patients.
Do you know what to look for in a managed IT service provider?
Download our checklist to learn if you’re making the best choice for your practice.
A data breach is an incident in which confidential information is accessed without authorization. Your patient records contain sensitive information that is attractive to criminals, which is why cyber thieves target electronic data collected by the healthcare industry. Cybercrime in healthcare is particularly profitable. The average cost of a data breach incurred by a non-healthcare related agency, per stolen record, is $158. For healthcare agencies the cost is an average of $355. Credit card information and personally identifiable information (PII) sell for $1-$2 on the black market, but protected health information (PHI) can sell for as much as $363. According to Symantec, electronic PHI was the most common form of data lost to data breaches in 2016, with personal consumer financial information close behind.
PHI is valuable because criminals can use it to target victims with scams that take advantage of the victim’s medical conditions or victim settlements. It can be used to create fake insurance claims, or to illegally gain access to prescriptions for use or resale. Hackers seek personal information to either steal money, compromise identity to steal money, or sell to other criminals on the dark web.
Because a ransomware-type cyber attack could compromise patient safety and care, health care organizations are more likely to pay the ransom. Newer ransomware is capable of deleting your backup before destroying your data. Smaller practices may be at highest risk: after installing new technology to handle electronic health records (EHR), many smaller practices may lack the finances to stay ahead of hackers in terms of security.
How common are security breaches in healthcare?
Studies indicate that around 83% of physicians have been victims of cyber criminals. In May 2017 a global ransomware outbreak called WannaCry infiltrated several major organizations Britain’s National Health Services. Your entire network is at risk, including peripheral devices, phones, tablets, etc.
It is incredibly important that all of your practice protocols and systems, including your health information technology (HIT), maintain HIPAA compliance. Your health information technology should have all the proper safeguards in place to ensure the security of your patients’ data. A HIPAA-compliant network will be password-protected and have antivirus and anti-malware software installed and used consistently. As with printed PHI, staff should be properly trained in HIPAA-compliant practices for handling information technology. Also remember that every staff member does not require an equal level of access to patients’ PHI.
How do data breaches occur?
Some ways hackers gain access to a network are by:
- Exploiting system vulnerabilities: If you do not keep your software up-to-date on each of your computers and peripheral equipment, you could leave an entry point to your network.
- Breaking weak passwords: Weak user passwords are easier for hackers to guess. Experts advise that you use complex, unique passwords that do not contain personal information. They also recommend that you change your passwords often and don’t use the same password for multiple applications.
- Drive-by downloads: You or a staff member could unintentionally download a virus or malware by simply visiting a compromised web page or opening an link on a spam email. A drive-by download will typically take advantage of a browser, application, or operating system that is out of date or has a security flaw.
- Targeted malware attacks: Cyber attackers use spam and phishing email tactics to try to trick the user into revealing user credentials, downloading malware attachments, or directing users to vulnerable websites. Email is a common way for malware to end up on your computer. You and your staff should avoid opening any links or attachments in an email from an unfamiliar source. Remember that attackers can make an email look like it comes from a trusted source. Clicking on a link or attachment in an infected email could infect your computer with malware.
- Installing ransomware: This type of malware works by encrypting user files, then demands a fee of either $300 or $600 worth of bitcoins to release the encrypted data back to the owner.
A large portion (48%) of data breaches are not caused by cyber criminals. They are caused by system glitches and human error.
How much would a data breach cost?
According to a 2017 study sponsored by IBM Security and conducted by Ponemon Institute, data breaches cost U.S companies an average of $225 per compromised record. That number increases to $380 per record in the healthcare industry.The breakdown of recovery costs is as follows:
- Heavy HIPAA fines (often in the millions)
- Paying for reporting information about the breach to the media
- Costs of forensic investigation
- Fees for credit monitoring for all affected patients
- Costs of potential class action lawsuits
If your practice suffered a data breach, you would also have to notify the U.S. Department of Health & Human Services. Perhaps the most devastating cost to your practice would be lost revenue as a result of damage to your brand. When patients do not trust you, they find care elsewhere.
How should you protect your practice from a data breach?
Consult your IT partner to best advise you how best to avoid a data breach and protect your patients. To fully protect patient data, practices should consider measures such as employee training and server and workstation monitoring. Employee training on security policies and procedures has been shown to decrease data breach costs by more than $9 per compromised record. The Health Insurance Portability and Accountability Act (HIPAA) outlines specific recommendations for handling of patient ePHI such as offsite data backup, firewall security, virus protection, and data encryption. Practices can add an additional layer of protection by running security risk assessments once or (ideally) twice a year. The Quest Diagnostic breach occurred with a business associate. Be extremely careful in choosing vendors who will come in contact with your patients’ sensitive information. You should also make sure they sign a Business Associate Agreement.
Here are some ways you and your staff can prevent a data security breach:
- Don’t click on any suspicious links or websites
- Use protective software
- Keep your practice management software updated
- Backup your data
- Encrypt sensitive information
- Create a security policy for your practice
- Be prepared with a disaster recovery plan
- Educate employees in data security practices
- Limit employee data access according to job responsibilities
Any business is susceptible to a cyberattack, but healthcare organizations are particularly vulnerable. While patient care should be your primary focus, don’t neglect your network security. Protecting patient information will help you care for them in the best possible way. If you need guidance, your trusted IT partner can help you.