By MICHAEL R. LOWE, Esq.
LoweDown on Health Law
Cyberattackers understand the value of the data that is held by healthcare organizations, and as a result, healthcare organizations are quickly becoming a perfect target for cyberattackers to steal copious amounts of patient records, insurance information, billing information and account information for their monetary gain resulting in identity theft and fraud against patients and employees. Given that most transactions in the healthcare sector are conducted through vulnerable hardware and software, it's critical for providers and payers to strengthen their cybersecurity. With the boom of the digital era and the rapid digitization of the healthcare industry, patients' medical data has become increasingly portable. With this portability, the process of sharing and collecting data has been simplified and as such, poses major cybersecurity risks.
According to an article in the Washington Post published on May 16, 2018, "Hospitals are vulnerable in part because they often rely on equipment that's built to last 15 to 20 years, meaning it runs older software that's trickier to update than, say, a typical office computer. And with so many hospital devices interconnected, it's hard to tell how an update to one will affect other equipment in the system." The use of legacy systems are easy targets for such cyberattacks as the security components in these older systems are not up to date and as such are vulnerable to todays sophisticated methods used by cybercriminals. Cyberattacks can affect not only computers, but devices that are connected to them including medical devices that can be manipulated to function differently than intended. Mobile devices including laptop computers, handhelds, smart phones, portable storage media have opened a world of opportunities to un-tether Electronic Health Records from the desktop. But these opportunities also present threats to information security and privacy. Transporting data with mobile devices is inherently risky and all data stored on a mobile device should be encrypted.
In its quarterly threat report unveiled May 22, 2018, cybersecurity company Rapid7 found that the healthcare sector experienced a surge in cyberattacks during the first quarter of 2018 -- so many that it ranked as the top-targeted industry in the first three months of the year.
Around 1.13 million patient records were compromised in 110 healthcare data breaches in the first quarter of 2018, according to data released May 3, in the Protenus Breach Barometer. Healthcare organizations accumulate risk that compounds over time when proper detection, reporting, and education do not occur, according to Protenus. The Breach Barometer found that it takes healthcare organizations an average of 244 days to detect a breach once it has occurred.
A solo practitioner is just as susceptible as a conglomerate hospital organization. Cybercriminals will infiltrate where there are vulnerabilities that can be exploited and/or penetrated. Human error, including falling for phishing attacks, is one of the leading causes for security breaches. Ensure that your staff and all personnel are trained properly on security, encryption, and how to detect cyberattacks including phishing, virus attacks and ransomware possibilities. When everyone is well-educated and made to see warning signs of cyber-risks and what they can do to stop or thwart cyberattacks, we can limit the damaging effects of cybercrime.
Cyberliability coverage is a key component in ensuring that your practice, and license are protected. Do you have cyber insurance? If you do, do you know what your limits of coverage are, do you have coverage for legal representation if you do have a security event or breach?
Healthcare providers should always use strong encryption programs for all patient data and protected health information and limit who has permission to access medical charts. Healthcare facilities and systems should use multifactor authentication or other types of consumer security that is already utilized in the U.S. financial services arena. Ensure that your anti-virus software is maintained and up to date with regular updates in order to protect from the newest computer viruses and malware. Without anti-virus software to combat infections, data may be stolen, destroyed, or defaced, and attackers could take control of the machine. Even a computer that has all of the latest security updates to its operating system and applications may still be at risk because of previously undetected flaws. While anti-virus software will help to find and destroy malicious software that has already entered, a firewall's job is to prevent intruders from entering in the first place. Large practices that use a local area network (LAN) should consider a hardware firewall. A hardware firewall sits between the LAN and the internet, providing centralized management of firewall settings. This increases the security of the LAN, since it ensures that the firewall settings are uniform for all users.
Sooner or later, the unexpected will happen. Have your Breach Notification Policy, and Disaster Recovery and Response Plan in place before it happens. Be prepared, set-up your Policies, Procedures, forms and security checklists now. Have a very complex set of Policies and Procedures, be aware of all the rules and apply them to areas like arm Threshold Analysis, how to determine unsecured vs. secured PHI and who needs to be notified when an event or breach occurs. Remember Business Associates (BA) have to report Privacy Events or Breaches to Covered Entities (CE) as soon as possible and the CEs and BAs must coordinate the notification. When preparing your Policies, Procedures and forms, enlist a qualified security firm and have qualified healthcare counsel to advise you and walk you through the process to ensure you are compliant. Have a Security Assessment done to identify any areas that need to be looked at, updated and addressed.
The Healthcare Team at Lowe & Evander, P.A. understand the hard work and sacrifices it takes to become a health professional or provider and aggressively defend health professionals regarding protecting their license, practice, career, assets and reputation. Using our experience and expertise, we navigate the obstacles our clients face, serving not only as their attorneys, but also as their legal strategists, trusted advisors and protectors of their rights and interest against government investigations and lawsuits when necessary, and we help chart a course through the maze of state and federal health care laws, rules and regulations.
Michael R. Lowe, Esquire is a Florida board-certified health law attorney at Lowe & Evander, P.A. Brian C. Evander, Esquire and Mr. Lowe regularly represent providers, physicians and other licensed health care professionals, and facilities in a wide variety of health care law matters.
For more information regarding those health care law and such matters please visit our website https://www.lowehealthlaw.com/or call our office at (407) 332-6353.