Practitioners face cyberattack vulnerabilities, need to put up best defense
Between 2009 and 2021, 4,419 healthcare data breaches of 500 or more records have been reported to the Health and Human Services Office for Civil Rights, according to a report in HIPAA Journal. While the report does reveal which types of providers were attached, it’s safe to assume that a fair share of integrated care professionals was affected, as many practices have reported data theft incidents in recent times.
Perhaps what’s more troubling is the fact that integrative care practitioners need to pay particularly close attention to data security matters, as they are especially vulnerable, according to David Finn, CISA, CISM, CRISC, CDPSE, vice president, College of Health Information Management Executives in Ann Arbor, Michigan.
To start, many integrative care professionals own their businesses and that means that cybersecurity issues fall directly on their shoulders, as they can’t rely on the information technology departments that are typically available in larger organizations.
“As big health systems with more resources and staff focused on IT and security become harder targets to hack, the bad guys will look for the organizations they connect to in order to find easier ways in or get similar data,” Finn said.
What’s more while many integrative practitioners do not accept health insurance, they are still likely to
collect digital payment information, health-related information, e-mail addresses, physical addresses, phone number and various other data.
“And, when you put all that in one place with less than adequate security and you are now a target,” Finn noted.
Joe Betz, International Chiropractors Association vice resident and research committee chair at the International Chiropractors Association in Falls Church, Virginia, and owner and clinical director of Modern Chiropractor Center in Boise, Idaho, said that he feels quite a bit of pressure to protect his practice’s data from cyberattacks.
“As is the case with most practicing chiropractors, I also own and run my own business,” Betz said. “So not only do I have to take care of my patients and always stay focused on providing the best care possible, but I also have to be concerned with protecting patient’s private health information and data security.”
In addition, while many integrative practices work with electronic health records that meet security requirements as dictated by the federal government, some do not. As such, these integrative providers need to make sure that their recordkeeping software programs protect patient and client data.
However, while it is important to work with software systems that have such security features, the fact of the matter is that there is more risk in other electronic communications.
“Ironically, while the intent [of the government’s security requirements] was to secure the data in the [electronic health record (EHR)], that is not historically where the data has been leaking from,” Finn said. “It comes out in emails, spreadsheets, electronic attachments to emails, and a multitude of other ways including lost laptops and cell phones.”
In the new world of “health hyperconnectivity,” which is impacting all providers or every type and size, Finn said it will be the application programming interfaces (APIs) or data feeds between wellness apps, providers, payment platforms and on and on. Once you put an app on your phone, for instance, not only the app that you want to connect to is getting that data but sometimes ten or more other sites or applications are also getting that data, he said.
Betz also said risk exists outside of the electronic record, and the influx of electronic communication is upping the vulnerability quotient at his practice. He said many practitioners are communicating with patients via text message more than any other forms of communication, and need to use secured platforms, which are available through their EHR provider or a third-party service provider.
Additionally, Betz said practitioners must use caution working within social media platforms, as patients may reach out through these messaging platforms too.
“We always have to make sure before we start using the systems that they are abiding by HIPAA laws and are secure in every fashion possible,” he said.
A solid defense
While data security risk is pervasive, there are several steps that integrative practitioners can take to protect patient and client data:
Understand various types of cybersecurity attacks. Examples include:
- Distributed denial of service (DDoS) Attacks
- Spam and phishing
Train all employees. Anyone using systems needs understands the risks associated with accessing and sharing data. All practitioners, practice leaders and staff members then need to be provided with the knowledge and tools necessary to keep cybercrime at bay.
“To educate the workforce, provide them with clear cybersecurity policies that outline the risks, the defenses in place, and the steps they can take to protect themselves,” Finn said. “Practice leaders can also offer formal cybersecurity training programs to ensure they are up to date on the latest threats and solutions.”
Implement role-based access control. One of the most effective ways to protect data and systems from cyberattacks is implementing role-based access control (RBAC), which allows organizations to assign specific permissions to different employees based on their role in the company, controlling who has access to what data.
“This can be difficult in small operations but just like segregation of duties around accounting functions, leaders should strive for it,” Finn said.
Initiate automated remote backup and data recovery. Protecting data is one of the most crucial cybersecurity practices for small businesses. One of the best ways to protect data from cyberattacks is by initiating automatic remote backups and data recovery, which allows practices to store an extra copy of data offsite in a secure location. An automated remote backup and data recovery solution not only safeguards data from cyberattacks, but it also provides integrated providers with the ability to restore data in the event of a data breach.
Leverage multi-factor authentication (MFA). MFA requires users to provide additional information to prove their identity when accessing company data and systems beyond just their username and password. This additional information may include a code sent via text to a user’s mobile device, or a biometric such as a thumbprint.
MFA makes it significantly more difficult for cybercriminals to access data and systems, because it provides an added layer of security, when a cybercriminal circumvents the user’s password, Finn explained.
Install secure Wi-Fi networks. Finally, one of the most crucial cybersecurity practices for small businesses is properly securing Wi-Fi networks to ensure employees are connecting to a safe network. Integrative practices can secure Wi-Fi networks by using a virtual private network to encrypt internet traffic.