Protecting your practice from cyberthreats

By Besse Medical

The pandemic has led to more of us working remotely – so keeping patient data safe and protecting your practice is a priority. 


Potential cyber risks – why practices are targeted

With the expansion of telehealth during the pandemic, protecting your patients’ data has become more critical.  Providers and associates took home their work computers, possibly accessed personal email while on your network, or used their personal devices for work-related calls, making your systems more vulnerable. All of these opened your practice up to phishing attacks revolving around a fear – the IRS needs some “information” from you or your online shopping account has been closed because of unusual activity. Practice associates may have innocently opened an email or clicked on a link without checking its validity.

While HIPAA regulations were relaxed, practices may have also used systems which were not originally compliant, protecting your patients’ data. 

Why were practices targeted? Patient data may not have a tremendous value, but hackers understood the cost to you in the event that the information was released to the dark web. Hackers have been able to infiltrate networks and hold the data hostage, a term known as ransomware.  

The hackers understood that while the data might not be sold for a lot, if they held or even released the information, your practice would be liable for the cost of a data breach. That cost, estimated to be on average $430-$500 per patient record, amounts to lost reputational value, lost operational expenses, legal fees and fines from government agencies for the violation of HIPAA.

What does a practice administrator need to consider when using vendors for IT support, as well as vendors to help with telehealth? 

  • Is your vendor HIPAA compliant? That should be outlined in their business associate agreement (BAA). 
  • Look for their definition of a breach of security – what does that mean to the vendor compared to your practice.
  • Look at their disclosure timelines and breach interactions. How the vendor informs your practice of a breach, and how soon after a breach will they inform you can make a significant difference to your practice and patients.

How does your practice prepare to meet your security standards?

With the expansion of telehealth and its expected continued use, keeping patient data safe and protecting your practice must become a priority. 

Practices who work with our Quality Reporting Engagement Group (QREG) will receive documentation to complete a security risk analysis which is provided as part of their consulting services.

Practices also need to keep in mind the pressures of protecting your organization solely placed on an internal IT team. Typical IT contracts have the focus on maintaining operations, not necessarily security. With outside counsel, a security vendor can perform an assessment of software inventory – to ensure the software has the means to protect from attacks. They can also look at your practice’s network capabilities and perform a vulnerability assessment. Systems that contain PHI information should be limited in access and utilization to strictly professional capacities and localities.  Having data contained and protected within a physical location is the first layer of a multi-layered security posture.  A qualified IT contractor will direct you on which systems are vulnerable and recommend the proper protection. Additionally, there are devices intended for specific functions – limiting utilization to only their intended function minimizes potential avenues of exposure.  

In a recent webinar, it was recommended that practices create a security roadmap.  That process will help align security processes with your practice’s operational goals and determine whether you need outside help for protection.  The roadmap is considered to be a flexible document which changes as cybercriminals change their tactics. Part of that roadmap will include the security risk assessment that each practice must complete for their MIPS submissions.

To learn more about cybersecurity and your practice, view this April 2021 webinar hosted by the Quality Reporting Engagement Group, along with Firm Guardian, a cybersecurity company which focuses on helping organizations create stronger security and compliance programs.