CYBERSECURITY: Implementing Basic Safeguards At Your Practice
September 22, 2017 | Featured Articles
I worked with a physician for many years who was infamous for taking medical charts home for dictation. I can’t help but think that he was prophetic way back in 2001 when he insisted that the safest place for patient charts was . . . locked in the trunk of his car.
Due to the enormous amounts of information being housed and transmitted electronically, and the continual sharing of patient health information in the name of providing better care, patient data has become more vulnerable than ever. Balancing patient privacy against the need to provide quality care (which is theoretically optimized by sharing patient data amongst all of a patient’s healthcare providers) has become the ultimate juggling act. Your practice is responsible for keeping patient information safe under these conditions—both health and financial information—and for protecting the practice’s liability.
My daughter may accuse me of being a geek, however I am anything but a cybersecurity guru. Rather, I am the administrator of a private GI practice in Richmond, Virginia, working 50-55 hours a week and still not finding enough time to get everything done. When it comes to data security, I have neither unlimited time nor budget to batten down the hatches and keep data secure. I have no doubt that others share this reality—struggling with the limits of time to learn comprehensively about cybersecurity, and the limits of budget to pay for an expert, yet somehow needing to meet the challenge of cybersecurity head-on in a practical, affordable and functional way.
Here is what I have learned. There are some simple, yet necessary steps that we all can take in order to enhance cybersecurity. And if your practice has already instituted these steps? Review them again, and again, continually updating and adjusting your security protocols to minimize as much risk as possible, and to account for changes and updates that may have occurred in the interim.
Passwords
If there is one point I want to stress, it is to establish and enforce a rigid password policy. The most basic protection is the one I see abused most often, yet it is understandable why this is the case. We need passwords for everything. Heck, even a mere bureaucrat like me has 64 different programs and log-ins that require passwords…and that is just for the work side of my life. But remember, passwords are there for our protection, not just to annoy us and challenge our memory.
Ensure that everyone in your organization follows these six guidelines in order to use passwords appropriately:
- Do not use the same password for all programs. It’s like having a single key that fits all of your cars, all of your offices, your home, and your safety deposit box. If one person gets a copy of the key, they have access to everything you cherish. Use a distinct password for every program.
- Do not use simple passwords based upon personal information. Far too many folks use the names of their kids or pets followed by ‘1234’, or something similar.
- Size matters: longer passwords are better. The experts recommend passwords of at least eight characters that include a combination of upper and lower case letters, numbers, and special characters like ‘^’ or ‘&’.
- Passwords should be changed approximately every 90 days. Our practice management system and EHR require passwords be changed every 90 days. If yours do not, ask your vendor to flip the switch that activates this security measure.
- Do not leave your passwords written on a piece of paper on your desk or anywhere else that may be easy to find. Instead, consider using a password-protected spreadsheet on a secure device to retain your passwords.
- Do not share your passwords with anyone. If you do need to – for whatever reason – make sure to change them immediately after use, or if used in an on-going fashion, absolutely change them if that person leaves the practice or becomes disgruntled (be sure to deactivate or delete the former employee’s password and user accounts).
- Do not use similar passwords for personal and business activities, and keep personal and work passwords stored in different locations too.
Make sure all of your employees and fellow providers follow these same password guidelines. A chain link fence is only as strong as its weakest link.
To highlight, notice how long it takes for one open software hacking program to crack passwords:
# of characters in password |
Time to crack a password of lower case alpha characters |
Time to crack a password with upper/lower cases and numbers |
Time to crack a password with upper/lower cases, numbers, and special characters |
6 |
1 second |
2.7 minutes |
25.0 minutes |
8 |
9.8 minutes |
171.3 hours |
3,377.8 hours |
10 |
110.8 hours |
6,585.8 hours |
27,360.2 hours |
*John the Ripper password cracker
The more complex the password, the more difficult it becomes to crack. Establish a rigid password policy now and enforce it. That’s your first line of defense, and it doesn’t cost a thing.
Redundancy
Regardless of where your data is housed–stored in the cloud or on hardware in-house–make data back-up a priority. We keep our data on in-house servers and back up our data nightly to separate servers. This automated process adds a level of security in the event of a ransomware attack, resulting in the only loss being 24 hours worth of data in the event of an attack. Backing up frequently ensures your data loss is minimized in the event of a breach or catastrophic event.
Restricted Access
Determine which computers and data each employee needs access to, and restrict their access to only those applications and data levels that are determined to be necessary to that employee carrying out their work. Deactivate any employee or provider who leaves your practice, immediately upon their leaving. Badges, user ids, keys, and the like: you want to eliminate all physical and electronic options for an ex-employee to access protected health information.
Layers Offer Protection
Our patient data resides behind multiple firewalls on three servers. Multiple layers such as firewalls, password protections on servers, restricted physical access and so on, are a very good idea and offer much more security than a single firewall.
Adding extra firewalls does not have to be very expensive either, from both an equipment or installation standpoint, and in our practice this has not had a noticeable impact on the speed of our network either. We use Drayteks, which range in cost from $200-$700 and contain multiple layers of protection within a single unit. This pricing includes all licensing, whereas other manufacturers like Sonic and Cisco do not include licensing in their base prices. The other reason we use Drayteks is their internal bandwidth–they do not impact the speed of our network, compared to other previous firewalls that had a clear detrimental impact on speed.
Security Risk Assessment
All practices are required under HIPAA regulations to conduct a risk assessment. You can find an excellent tool for identifying risk vulnerabilities here: https://www.healthit.gov/providers-professionals/security-risk-assessment-tool
The Security Risk Assessment may sound like a pain, but it’s a good exercise to conduct. You don’t need to go through the whole program at one time; the tool saves your progress so that you can complete the process as needed over a period of time. And having a few folks on your team (doctor, office manager, etc.) go through it together is an effective way to complete the assessment and learn more about your infrastructure across the team.
Penetration Testing
We have a ‘white hat’ (a cybersecurity expert) attempt to break into our systems to expose vulnerabilities and attempt data access twice a year. This exercise is known as ‘penetration testing’. The cost of the initial penetration test was several thousand dollars for our practice, but we considered it a necessary cost of doing business in order to keep patient data safe then and now.
One of the most enlightening findings of our penetration testing has been ensuring that back doors that vendors use to update our system are relocked. If these ports remain open, your vulnerability increases exponentially. Whenever a vendor uses an electronic back door, make sure they close it.
Cloudy with a Chance of Pain
Many experts say the cloud is the safest place to be, but we have chosen to keep our patient data on physical servers in-house. Luddites we may seem to be, but it works well for us. Physical safeguards—locked doors, restricted access, excellent surge protection, and a $24/month agreement with a local alarm company–are in place. Servers have become surprisingly affordable, too. We use refurbished Dell servers, which cost about 1/10th the price of new Dell servers. A fully decked-out refurbished Dell server cost us $2,000-$3,000.
Storage in the cloud, however, has its place, and it is where the health industry (and everyone else!) are going. The patient data that we share with other practices and health systems of course ends up in the cloud, stored in their EHRs. If you are cloud-based or considering going to the cloud, check with your vendor to make sure they meet industry standards (‘ISO 27018’ is the security standard recommended by many experts).
Recommended Resource
The web is full of guides for making your practice more secure. My favorite, for its brevity and straightforwardness, was developed by the government to help practices like ours: https://www.healthit.gov/sites/default/files/Top_10_Tips_for_Cybersecurity.pdf
Insurance for the Cyber-Age
Regardless of the steps taken to combat a breach of health or patient financial data, insuring your practice in the event of a breach is a wise move and is quickly being considered part of any practice’s standard menu of policies to have in place. Data breaches, asset protection, and even cyber-extortion policies can be put in place to augment your security plan and provide a financial buffer to aid in awarding compensation and in recovery—a resource that you will hopefully never. Ask your insurance provider to provide a proposal, with a full detailing of exactly what is being covered and an explanation of cybersecurity terms, as this may be new ‘jargon’ for you. In addition, be sure to compare proposals from at least two or three providers to ensure you are getting the right coverage and the best cost.
Following Through
It is easy to get discouraged, or intimidated, and just do nothing. After all, the FBI, the CIA, and the NSA have all been hacked at some point or another. And if cybercrooks can hack into Equifax (resulting in 143 million Americans impacted, about 44% of the U.S. population) or Anthem (resulting in 79 million people’s information being impacted, nearly 1 in 4 Americans), it seems that there’s only so much we can do to protect our practices.
Yet, we need to do what we can, for both our patients and our practices. They place their trust in us, and we have an obligation to be prudent in protecting their data. We also need to protect our bottom lines. Thinking about the practice’s financial security is not callous or indifferent—it’s necessary and pragmatic in order to continue delivering patient care. The Equifax hack resulted in a 50% drop in their stock prices—can your practice withstand a large financial hit? Investing in data security is insurance on your bottom line.
The recommendations discussed here can be implemented by most practices without a large investment of time or money, and should be executed immediately if your practice has not already done so. Schedule routine analysis, maintenance and updates to your security plan, and dedicate the needed resources to keep pace with the ever-growing needs of cybersecurity in your medical practice.