We hear about breaches everywhere and are warned of impending cyber harm daily. Our inboxes are filled with newsletters – like this one – about what we can do to “be better” or “be scared.” Our regulators constantly add and change compliance standards with every new law or technology. The list goes on.
PHI records go for as much as $1,000 each on the dark web, compared to $5 for credit card information and $1 for social security numbers, which makes healthcare providers some of the best targets for cybercriminals. Some authorities estimate that ransomware cost the world $20 billion in 2021. That number is expected to rise by $265 billion by 2031.
How Would You React?
You’re preparing for yet another busy week at your medical practice. You turn on your computer and immediately feel the blood drain from your face when you see the following message:
You quickly go from shock to anger. You begin to wonder how this could have happened. Your practice has contracted with the best IT firm to set up your system. Your office manager and staff have been trained at least once a year on good password management. And you occasionally attend a cybersecurity webinar … just to be sure. What now?
Are You Prepared?
The scenario above is not uncommon for medical practices of all sizes. Understanding how malware might infect a system certainly helps with mitigating the potential for a cyberattack. Walt Green, a former U.S. Attorney for the Department of Justice now focusing his practice on cybersecurity and data privacy, gives recommendations on how practices and hospitals can prepare against cybercrimes here. Some highlights include:
- Multi-Factor Authentication. Make sure that on-site and remote users have authority to be in your system by requiring two or more verification factors to access your system.
- Software Updates. Make sure you remain current with software updates and you know how to update your systems. Your IT service providers should be able to provide training to your staff.
- Social Engineering. 80-90% of all ransomware attacks start with some type of social engineering incident. Using phishing emails is still the easiest way to obtain access to your system. If possible, use phishing email tests to see how your workforce performs.
- Review Access Rules. Look at who has access to your computer systems and what documents they have access to.
- Test Back-Ups. Test your systems now. If you have a back-up, ask your IT team to perform a test to see if you’ll be able to recover from a cyber breach.
Other things to ask yourself:
- How will your patients be affected? If all of your computer systems are down, will you be able to provide patient care, or will you have to reschedule your appointments? Will you know who is coming into the office? What if your systems are down for more than a week? Can you provide referrals?
- Can you identify your cybersecurity response team? Having a written Cybersecurity Incident Response Plan with a designated Security Response Team will help you organize what needs to occur in the event of a security incident.
- Do you know where ALL of your data lives? Having a Written Information Security Policy will help you know how your data should be handled, what employees’ responsibilities are, and how to enforce your policies.
How Can LAMMICO Help?
Cybersecurity is a serious problem, and more LAMMICO insureds are targeted by cybercriminals each year. Most find the cyber coverage they have may not be sufficient, and others just feel violated and targeted. For those who’ve not been hit with a cyberattack, it’s easy to turn the other way. But don’t. Let us help you at least get started or maintain your cyber program.
• Access the complimentary CyberNET®. LAMMICO insureds have complimentary access to an extensive library of continually updated information, education and on-demand cybersecurity advice. Log in as a Member on lammico.com to access the TMHCC CyberNET®.
• Call our Risk Management and Patient Safety Department. We are invested in the success of your practice. If you find cybersecurity to be an intimidating subject, please don’t hesitate to call one of our risk managers at 504.841.5211 to help you get started.