Learn how to help protect patients and their data during critical times.
It’s time for a patient’s medication. A nurse wants to double check the dosage before administering it to the patient. She goes to open the patient’s file on the computer, but finds that she can’t. Instead, a pop-up appears on her screen. It demands that her facility pay thousands of dollars in order to access their data. She tries to close the pop-up, but another one appears.
“Cybersecurity is a patient safety issue.” – American Medical Association
While the above is an imagined scenario, it is a very real possibility in today’s reality.
The digitization of patient data is an incredible advancement to care. Providers across facilities can share and collaborate like never before. A patient’s behavioral health provider can quickly consult her records to see if there is a related issue documented by her primary care provider and vice-versa. The immediate access of information is helping the healthcare industry provide better care in a more holistic manner.
However, this advancement and convenience comes with high-stakes risks. Healthcare organizations are coveted targets for cybercriminals due to their inventory of patient data including social security numbers, credit card accounts and other personal information. The average cost of a data breach for a healthcare organization is upwards of $2 million according to the Department of Health and Human Services.
Besides the economic toll, cybercrime has very real consequences for patients. It’s worth repeating – Cybersecurity is a patient safety issue. A data breach can easily halt or delay critical care, putting patients’ lives at risk.
Even more disheartening is the knowledge that hackers use tragic events, like natural disasters and health epidemics, to their advantage. The recent global health crisis has brought to light an increase in cyberattacks. While people are distracted by current events and fearful of what will come next, hackers are ramping up their assaults. The C5 Alliance estimates that cybercriminals have increased their attacks against the healthcare sector by 150% since the pandemic began.
During times of crisis the chaotic nature of the event can overwhelm and distract staff, but it’s important to uphold cybersecurity measures to protect both patients and their data. Here three best practices to help keep your facility safe from a cyberattack.
1. Train employees to spot phishing emails
Email is the number one way hackers use to enter networks. Why? Because it is cheap and extremely effective. By posing as a vendor, coworker or legitimate information source, criminals trick users into clicking on harmful links or downloading malicious programs. Other phishing scams coerce victims into revealing personal information or transferring money to into the hackers’ account.
While spam filters and firewalls help to reduce potential attacks, the best defense against phishing is to train employees on how to recognize and respond to a fraudulent email. There are some tell-tale signs to look for when determining if an email is legitimate or a phishing expedition.
Misspelled Domain Names
One of the tactics hackers use to fool users is to imitate legitimate domains. Recently, ZDnet reported that cybercriminals deployed phishing emails under the guise of the World Health Organization (WHO), claiming to have important updates on the global health crisis. These emails ask users to click on a link or download an attachment to receive the information, but when these actions are met, bots infiltrate the user’s network stealing valuable personal information.
The WHO has issued statements asking users to verify the domain in emails claiming to be the organization, saying that it sends emails from the domain @who.int. If the sender’s domain doesn’t match @who.int exactly, it should be treated as a scam and immediately deleted.
Unfortunately, cybercriminals are masquerading as countless other organizations and individuals, so simply scrutinizing possible WHO emails won’t guarantee protection. Every sender name and domain name must be carefully vetted before taking a requested action. Hackers rely on users either ignoring or quickly reading domains without catching subtle misspellings. For example, if posing as John Hopkins Hospital, the domain name might read hopkinmedicine.org instead of the correct hopkinsmedicine.org.
If the identity of the sender is in doubt, it’s best to contact the organization and verify the authenticity of the email. (Note: this doesn’t mean hitting reply!)
Urgent Requests for Patient information, Money or Gift Cards
A new employee receives an email on her phone. The email appears to be from the owner of the company and asks for her cell phone number. The employee thinks it’s strange, but viewing the email on her phone, she can’t say for sure that it isn’t her boss. She decides to go ahead and reply with her phone number. A few seconds later, she receives a text message, “I’m stuck in a meeting, and I need you to go to the nearest store and buy Amazon gift cards.”
This time, the above isn’t an imagined scenario. This actually happened to me after starting a new job earlier in my career. I was so eager to please my new employer that I was hesitant to disobey the text message. Luckily, my intuition won out and led me to ask my direct supervisor about it. From there, we were able to determine that it was in fact a scam.
Any message that makes urgent requests or uses threatening language should send a red flag to the user. Cybercriminals prey on fear, knowing that people tend to act without caution when frightened or worried.
Unexpected Attachments or Links
Sometimes a phishing email will instruct users to open attachments. Often disguised as Word documents or PDFs, these attachments install malicious software when opened.
If you weren’t expecting an attachment from the supposed source, don’t open it! Contact the sender directly – meaning in a new email or over the phone – to verify if the attachment is okay to open. This is also true for links.
2. Install Anti-virus Protection and Keep It Up to Date!
How many times have you hit “Remind Me Later” on your anti-virus’s software update? Or, are you one of many who installed a free trial, but never paid for the subscription after it expired?
The problem with these two inactions is that anti-virus protection is no longer a luxury. It is a necessity for any healthcare organization.
Installing anti-virus protection and never updating it doesn’t work to protect your system. Cybercriminals constantly innovate, improving their malware and unleashing new threats. Therefore anti-virus products must be kept up to date in order to protect against any emerging attacks.
3. Encrypt and/or De-identify Patient Data
Encrypting data means that an algorithm transforms the data into unreadable information only decipherable with the proper key or code. Encrypting ePHI and entry points into the network helps prevent hackers from using stolen data.
De-identification is the process of removing any information from records that could reveal patients’ identities. This can include names, phone numbers, addresses, Social Security numbers, etc. De-identification is primarily a concern for healthcare facilities that conduct research.
Organizations can perform risk assessments to determine if data encryption and/or de-identification is necessary under HIPAA, but experts strongly urge to err on the side of caution and always opt for encryption.
As a healthcare provider, the safety of your patients is your first priority. While cybersecurity might not be an obvious factor in upholding your commitment to their well-being, safeguarding patient data is nevertheless a vital responsibility for every healthcare organization.
What steps have you taken to protect your patients’ ePHI? Do you have additional tips or resources? Let us know!
Submit a Comment