As my team and I talk to different medical practices, we are amazed how many of them are oblivious to HIPAA regulations and just how vulnerable they are to a cyber-attack. Like HIPAA, hackers don’t take ignorance as an excuse.
9 Reasons Why Small Medical Practices are Most Vulnerable to a Cyber-Attack
- Lack Concern of Cyber-Attack Threat – Most small businesses, including medical practices, think they’re too small to be a target to hackers. Unfortunately, medical data is a prize most hackers want to get their hands on and they will specifically target small medical practices expecting to find little to no cybersecurity in place. Also, hackers can use bots that crawl the internet looking for “open windows” into networks; if they stumble on a medical practice, they could be in for a big payday.
- Not Treating Hard Drives Like Gold – Many companies throw away old computers, including their hard drives. (See What to Do with Old Computer Equipment for more info on how to responsibly dispose of your hardware.) Medical data goes for $355 per record on the Black Market, so a hard drive with 1,000 patient records is a nice $355,000 score for a criminal. Medical practices must protect hard drives like gold. Once a hard drive is decommissioned, it should be shredded.
- Using Universal Passwords – You know small doctor practices love to use a universal password for every login. This method is wrought with problems for three reasons. First, employees probably scream it across the office where patients can hear, “Try password with the @ and $ signs.” Secondly, if an employee leaves, they can still get access to nearly every system and computer. Finally, it makes it easier for a hacker to get into everything because universal passwords are rarely changed.
- Lack Cybersecurity Expertise – Even if a practice regularly uses an “IT Guy”, that single person can’t know everything about technology and usually he is so busy putting out fires and crawling under desks to fix things, he can’t keep up his own knowledge especially when it comes to modern cybersecurity best practices. A good IT firm should be large enough to take care of your day-to-day needs and proactively secure your network. A great IT firm will have specialists on staff to advise you on how to best protect your practice and to comply with HIPAA regulations.
- Don’t Understand Cybersecurity, So They Ignore It – Out of sight, out of mind doesn’t work with cybersecurity. HIPAA's regulations are there to protect your patients' data from a breach, including a cyber-attack. You can't ignore cybersecurity because HIPAA is the law and you have a lot at stake -- your data, your money (negligence is a finable offense), and your reputation.
- Think Cybersecurity Costs Millions – If you’re running a huge hospital with dozens of locations, you probably have a team of cybersecurity experts on staff, which cost a lot of money, but you have more risk. For most doctor practices, cybersecurity is affordable and much cheaper than a data breach because HIPAA alone can assess $50,000 penalties per incident. Besides the fines, the damage to your reputation may be irreversible. In fact, 54% of patients are likely to change providers following a data breach. [Source: HIT] Can you afford to lose half of your practice?
- No Employee Policies Safeguarding Data – One of the biggest issues small medical practices face is not having any employee policies regarding security. Simple FREE things, like password protecting every workstation and mobile device that has access to PHI [Protected Health Information] is vital. Even if there are some policies in place, most medical practices do not enforce them, thus making the policies useless.
- Don’t Perform Periodic Risk Assessments – HIPAA and the Meaningful Use tax credits, which many doctors used to digitize their medical records, require a periodic assessment (usually annually for small doctor practices). These assessments provide a baseline for your network security, suggestions on what to improve, and proof of what you’ve already implemented. When it comes to HIPAA, you are required to have a plan describing how you are improving your PHI security, so you need to document everything.
- Giving Patient’s Access to Wi-Fi – In today’s world, you can find free Wi-Fi nearly everywhere, but you don’t want your patients on your practice’s primary internet connection. Instead, hide the network your employees use and require a password to access it. Then, set up a second Wi-Fi connection on your redundant internet connection to prevent hackers from easily gaining access to your patient records. Separating the connections also ensures your patients are not slowing down your team’s productivity.
Now this information may sound like a lot, but a good IT firm can help you overcome each of these matters and it all starts by educating yourself on your responsibilities as stewards of PHI. If your IT support team doesn’t understand their role in protecting your data and HIPAA regulations, we suggest working with a different IT team.
If you’re unsure if you have the right IT team, ask yourself If Your IT Firm Asked You to Sign a BAA?