January 11, 2019
Recently, a long time client called to tell us that their data had been hacked by cyber criminals. Just a week after experiencing a system crash, the IT staff had been running a series of checks when they found that they could no longer log in to the network. The message on the screen read: We have your data and will be contacting you regarding the ransom. The rest of the message was written in Russian.
File this story under, “scary but true,” but truth be told, 2017 was the worst year ever for cybersecurity incidents, according to the 2018 Online Trust Alliances’ Cyber Incident & Breach Trends Report. The number of reported breaches was nearly double the number in 2016. And 24% of those were in healthcare.
Is your practice prepared against a cyber attack like the one that is holding our client’s data hostage?
We talked to healthcare attorney and privacy and security expert Michael J. Sacopulos, JD, author of Tweets, Likes, and Liabilities, for his tips on preparing your practice for cyber crime.
1. Develop a cyber security policy.
The three most common cyber weak spots in healthcare are:
lack of written policies and procedures
insufficient training, and
lack of a risk analysis.
This, according to cybersecurity expert James Scott. “All three are preventable, and all of them start with a policy,” Sacopulos says, adding that the policy should includes things like an information system activity review – which is an assessment of who has access to which data and systems, and why – password management, business associate agreements, system updates, security incident procedures, and the contingency plan for how to respond to a breach.
“If you don’t have a policy, put it on your 2019 to-do list,” advises Sacopolus. “Without one, you are exposing the practice to big risks, from data breach to identity theft to reputational harm.”
2. Conduct a risk analysis every year.
“This is a requirement under HIPAA security policy requirements, but many practices don’t do it,” Sacopulos says. “A risk analysis is an essential exercise for determining where you are exposed and where training is needed.” Sacopulos advises engaging a third party for the analysis because “using your IT team or consultant is like letting the fox guard the hen house.”
3. Conduct ongoing awareness training to spot phishing emails.
An employee opening a suspicious email is far and away the most common way cyber criminals get in to a network. “You can’t train people one time on this issue,” Sacopulos warns. “We all can get distracted and overlook certain suspicious things in an email. Talk with your team in at least every other staff meeting about how to identify and handle suspicious emails. Keep employees and physicians aware and vigilant.” You can also have your IT staff run tests, to see how many employees open fake phishing emails.
4. Use strong passwords and don’t share them.
Insist that everyone be issued a unique password, and that it uses a mix of characters, capital letters, and numbers. Good passwords are words not found in the dictionary, and not an employee’s dog or child’s name.
Sacopulos reminds practices to keep them protected. “I’m still amazed how many passwords I see written on Post-It Notes and stuck to computer monitors in the practices I visit.”
5. Buy cyber insurance.
“I can’t stress the importance of this one enough,” Sacopulos says. This policy covers cyber risk and the costs associated with a breach, which could run you tens or hundreds of thousands. Purchase a policy in 2019 if you don’t have one.
Thankfully, our hacked client did. And, “KZA has a cyber insurance policy too,” shares Karen Zupko, adding, that these days if you want to do business with any kind of larger organization, you’ll be required to have such coverage.