By Oliver Dehning
You’re looking for a company to replace that worn-down carpeting in the waiting room of your small private practice. You send a few emails, get a response and a quote inside of a PDF and double-click to open it.
Just like that, every computer in the office is hit with ransomware.
With the modern world’s reliance on technology, everything comes to a standstill. Fifteen computers are locked down as backup files are restored. When the office reopens three days later, thousands of dollars in canceled appointments are lost – as is patient trust.
That scenario is rare, but not rare enough in healthcare, which was the industry most affected by data breaches in 2017 – the majority of its 328 disclosed breaches coming by hacking or malware attacks. This is despite HIPPA regulations that require strong cybersecurity measures, as well as the millions spent in IT costs by providers and other groups that possess patients’ delicate health information.
Large health care providers, while not invulnerable, have the resources for top-tier infrastructure and entire departments dedicated to security. That’s often not a luxury for their small- and medium-sized counterparts, but it’s not hopeless, either. The following guide offers tips to a more secure office.
Understand what’s at stake
Cybercriminals see the healthcare industry, among the largest sectors in the U.S. economy, as ripe for hacking because of its size. Communication between providers, insurers and patients is vital, and supply chains are massive, meaning there are plenty of places for a piece of malware to hide. Hackers can send an email to 10,000 different accounts, and only one needs to be opened to create a window for a criminal to climb through and steal data.
A Brookings Institution study found that hackers find healthcare data more valuable because it contains personal information such as social security numbers and home addresses. Records are also stored for many years, making a breach more likely and impactful.
Breaches are increasingly causing a financial burden in the industry, as well. In 2017, the estimated cost of all disclosed breaches was $1.2 billion. According to the Brookings study, remediation costs and cyberattacks targeting hospitals’ core businesses are fueling the increase. HIPPA regulations also mandate steep financial penalties for security violations, with some fines for repeat violations as much as $1.5 million. These costs may not hurt the bottom line of a larger provider, but they can be a major setback for a small- to medium-sized business.
Understand your obligations
HIPPA’s role in requiring patient privacy goes back to its implementation in 1996, but modifications since then have gone further to address how personal information is shared electronically, particularly through the Health Information Technology for Economic and Clinical Health Act (HITECH Act).
The rules apply to any health plan, clearinghouse or provider that handles patient data and require that safeguards be implemented. While the laws describe instances in which information can be confidentially shared and demands standards for email encryption, the specifics of how this is done are largely up to the companies handling the information.
Understand your options
That small office we discussed earlier had an issue that went beyond poor flooring, but a business of that size isn’t going to be hiring a full IT department anytime soon. It doesn’t need to, either.
No matter the size of your office, as long as you’re handling personal health information, you’ll need a professional email hosting service. Gmail or Yahoo won’t cut it. Fortunately, these professional services aren’t very costly, and they’ll more than make up for their cost in the protection they provide.
You can go further, though.
Not long ago, cloud technologies were a niche, but they’ve since gained acceptance and are now found in many industries. They save time and administrative costs, making them ideal for small- and medium-sized businesses. For email security, there is little to maintain – the onus is on the company providing the service. Encrypted online storage, archiving, spam and virus filters and advanced threat protection all build comprehensive barriers that help you avoid becoming a part of a not-so-flattering statistic in the healthcare industry.
Big or small, cybersecurity is as important as the cleanliness of a clinic, but it’s not out of grasp on any budget. And once that’s out of the way, you can get to work on that carpeting.
Oliver Dehning is the CEO for Hornetsecurity’s U.S. operations, based in Pittsburgh. Since 1998, he has worked in various management positions at IT companies and has performed scientific research in the field of pattern recognition.