According to the Office for Civil Rights (OCR), incidents of cyber extortion have risen over the past few years and are projected to be a major source of digital disruption in the future. Cyber extortion is defined as a crime involving an attack or threat of attack, coupled with a demand for money to stop it. In addition to ransomware attacks, where cyber criminals encrypt your data and demand a ransom to restore your access to it, cyber extortion includes threats to make stolen information public, or to delete files altogether.
It is important to realize that even the smallest practices have been a target, due to the fact that patient information is valuable and smaller organizations are sometimes more lax in securing their information systems. Please consider the following recommendations in order to limit your liability exposure:
Security Risk Analysis (SRA) – Ensure that you perform a complete review of your HIPAA Security Rule policies and procedures on an annual basis. Remember that a SRA involves verifying that you have implemented policies/procedures to limit risk to your electronic protected health information (EPHI). Current subscribers to Eagle’s HIPAA Compliance System have a complete SRA tool to meet this annual requirement.
Technical Network Assessment (TNA) – A TNA involves a diagnostic evaluation of your information system to look for open unsecured ports, devices missing security patch updates, enabled User IDs that should have been terminated, and more. Documentation from a TNA works in concert with a SRA, and provides strong evidence of applying reasonable safeguards to limit risks to patient information.
Workforce Privacy and Security Training – Awareness for privacy and security is critical to the front-line defense for your information system. Eagle provides privacy and security training in the April and May issues of the Advisor® to help with this task. Eagle also provides “Compliance Notes” (a monthly one-page article in the Advisor®) to remind staff about privacy and security issues. Train staff to identify suspicious emails and messaging scams that could lead to malicious software infecting your information system.
Anti-virus or anti-malware systems – Ensure that you have a strong firewall and anti-virus applications that can scan your information system and provide alerts when suspicious activity occurs. The keys are to implement such applications and monitor the alerts so that immediate corrective actions can be taken.
Data backups – Your data backup procedures should ensure that backup data is encrypted and disconnected from your local server/network (having the data physically taken off site each night or backed up to a secure remote server). Having the backup data stored off site will be critical to your recovery in the event of a disaster or attacks from ransomware.
Audit Logs – While most EMR and operating systems have robust audit logs, they need to be periodically reviewed for unusual or suspicious activity. Create a schedule of reviewing activity reports on at least a monthly basis.
Threats to your information system and the patient data that you store will not diminish in the future, they will likely intensify. Take steps now to ensure your EPHI is protected from known threats by completing a security risk analysis and technical network assessment. These evaluations will help you improve the security of your practice’s information system and reduce your liability.