How to Secure Your Practice Against the Current Heightened Risk of Cyber Attacks

Share

Tweet

Share

Share

Email

Comments

By Peter J. Cass, OD

March 16, 2022

With the potential for a power like Russia to shut down electrical grids and other utilities, and possibly hack into popular website-hosting platforms, now is the time to think about IT security and double-check that your staff is up to date on internet security protocols.

The Most Likely Threat
The most likely attack on a provider will come from ransomware, which amounts to an electronic kidnapping of your computer or network. It is a type of malicious software that infects a computer and locks the user from accessing data or threatens to publish the victim’s data unless a ransom is paid. Malware does this by encrypting the victim’s files, making them inaccessible, and then demanding a ransom payment to decrypt them.

The ransomware then tries to spread itself across the victim’s network. The hackers who deployed the ransomware typically demand payment for each of the victim’s affected computers before agreeing to restore the victim’s access to their data.

What Can I do to Prevent a Cyber Attack?
The Cybersecurity & Infrastructure Security Agency (CISA) recommends the following good security habits to protect users against the cyber-attack:

• Use strong passwords that are unique for each device or account. (Longer passwords are more secure.)
• Consider using a password manager.
• Use multi-factor authentication, if available.
• Use security questions properly.
• Create unique accounts for each user per device. This precaution reduces the impact of poor choices, such as clicking on phishing e-mails or visiting malicious websites.
• Choose secure networks. Public networks are not secure, which makes it easy for others to intercept your data. Always use private, secure networks when available.
• Keep all of your personal electronic device software current.
• Be suspicious of unexpected e-mails. Phishing e-mails are currently one of the most prevalent risks to the average user.

Doctors should meet with staff and discuss cyber security and especially ransomware. Staff needs to understand the risks. The staff meeting should cover all of the CISA good security habits mentioned above. This information could even be printed directly from the website and reviewed in the meeting.

What Do I Do If My Practice Is a Victim of a Cyber Attack?
Doctors should immediately activate their security incident response plan, which should include measures to isolate the affected computer systems in order to stop the attack. This plan should be put in place beforehand as part of a full HIPAA compliance program. The Department of Health and Human Services recommends also contacting the local FBI or United States Secret Service field office as they can pursue cyber-criminals globally and can often assist victims of cyber-crime.

Once the cyber attack and/or ransomware is detected, doctors should:
• Determine the scope of the incident to identify what networks, systems or applications are affected.
• Determine the origination of the incident (who/what/where/when).
• Determine whether the incident is finished, is ongoing or has spread through their network.
• Determine how the incident occurred (e.g., tools and attack methods used, vulnerabilities exploited).
• After getting a better understanding of the effects of the attack, the next steps should include:
• Contain the affected systems and stop the spread of the attack.
• Eradicate the instances of ransomware and mitigate or remediate the vulnerabilities that allowed the cyber-attack.
• Restore data lost during the attack so that the business can return to normal operations.

It is also extremely important to assess whether there was a breach of Protected Health Information (PHI) as a result of the security incident. The presence of any malware is a security incident under HIPAA that may also result in an impermissible disclosure of PHI in violation of the Privacy Rule.

What Obligations Do I have to My Patients & Practice Following a Cyber Attack?
Unless the covered entity or business associate can demonstrate that there is a “…low probability that the PHI has been compromised,” based on the factors set forth by HHS, a breach of PHI is presumed to have occurred. The office must then notify affected individuals, the Secretary of HHS and the media (for breaches affecting over 500 individuals). For more information on this, see 45 C.F.R. 164.400-414.

How Much Will a Cyber Attack Cost Me?
The legal implications of cyber-attacks are still up for debate, and there is no simple answer to the question of how cyber-attack victims can, or should, deal with an attack. But practices could have significant costs related to:

• Paying regulatory fines and penalties.
• Loss of income from downtime or patients who leave the practice.
• Hiring information technology (IT) experts to find and fix the breach.
• Hiring a call center to handle inquiries from patients.
• Hiring a public relations firm to deal with bad publicity.
• Hiring attorneys to represent the practice.
• Paying a ransom to free hijacked data.

How Do I Prevent a Cyber Attack from Happening?

• Education – All staff members must be educated about the risks of cyber-attacks, ransomware, e-mail and social media.
• Perform a security risk analysis – Practice must conduct and document a Security Risk Analysis as part of HIPAA compliance.
• Utilize secure electronic communications with patients such as EHR ports, secure messaging or encrypted e-mails.
• Keep up to date backups – Real-time cloud-based backup is best.
• Restrict users’ permissions to install and run software applications.
• Enable strong spam filters to prevent phishing e-mails.
• Keep antivirus software installed and up to date on all computers.
• Scan all incoming and outgoing e-mails to detect threats and filter executable files from reaching end users.
• Configure firewalls to block access to known malicious IP addresses.

Get Outside Help
There are companies, such as KnowBe4, that will test the training of your staff by sending fake phishing e-mails to see how your staff handles them. You can get protection from some of the financial fallout from cyber attacks by getting insured. The American Optometric Association offers such insurance.

Peter J. Cass, OD, is a partner in Practice Compliance Solutions, a faculty member for the University of Houston College of Optometry, an associate at MyEyeDr. Beaumont and past-president of the Texas Optometric Association. To contact: peter@PCScomply.com