Data breaches and other information security threats are a concern for all businesses, of course. But medical practices have additional concerns to worry about, such as HIPAA violations and similar state laws.
Below, we’ll outline some of the reasons that information security is vital for medical practices, starting with the topic of data breaches.
Data Breaches
There are numerous dangers associated with data breaches. Some are applicable to all businesses, and some are unique to medical practices.
General Dangers
One of the greatest dangers of experiencing a data breach is the loss of customers’ trust. On some level, customers (or, in medical terms, patients) rely on businesses and practices to be good custodians of their information. When a business is breached, the business often takes a credibility hit. This is especially true when the breach was due to negligence or incompetence.
Data breaches also create liabilities and vulnerabilities for those whose data was compromised. Even if you don’t lose your customers’ or patients’ trust, you could still tarnish your image. Your patients would be right to associate you with all the work and difficulty created by the breach, after all.
Lastly, data breaches can be financially costly. There are costs associated with securing whatever vulnerabilities were exploited. Determining the scope of the breach can be time- and information-intensive (and thus expensive). Big enough breaches may even involve settlement costs, though this tends to be less likely with a small business than with a large one.
Specific Threats for Medical Practices
Medical practices face some threats specific to the medical field in addition to the general threats that all businesses face.
HIPAA Violations: Chief among them is the danger of HIPAA violations. Just about any data breach will cause all the normal concerns discussed above. But in a medical setting, a data breach will also typically cause some form of HIPAA violation if an unauthorized party gains access to PII.
There are additional costs for HIPAA violations, too, ranging from $100 to $50,000 for each violation, with a maximum of $1.5 million.
Limited Staffing Capabilities: One industry organization notes that the risk of data breaches tends to be higher for small to medium medical practices because of their IT limitations. While large hospital systems sometimes have a sufficient and dedicated IT staff, a small independent practice may have a single or even part-time IT staffer.
It’s much harder to keep all physical machines and web-based interfaces up to date and secure in this kind of situation, leaving attackers more avenues to exploit vulnerabilities and steal data.
High Rate of Movement: Another risk that’s more prominent in medical practices than many businesses is what we’re calling high rate of movement, for lack of a better term. Many medical offices are fast-paced, with staff and visitors alike moving frequently through the space. Look around your environment and ask yourself: how hard would it really be for someone to gain physical access to a computer without getting noticed.
Then ask the scary follow-up question: how often do you see an unlocked workstation, where a nurse or physician steps away but forgets to sign out or lock down the machine? All it takes is combining these two scenarios, and someone who knows what they’re doing could begin a system breach.
These days, most medical practices have a computer in the exam room with the patient, too. We’ve been to general practices where the computer stays in the room between the nurse’s initial questions and the physician’s arrival. Without proper security measures (and especially if the system is left unlocked), this is a recipe for disaster.
These are just a few of the unique risks associated with medical practice data breaches. We wish that were the end of the bad news, but it isn’t. There are other categories of risks to consider besides data breaches.
Medical Device Vulnerabilities
Today’s medical practices are high-tech places full of connected medical devices. These modern devices drastically improve the quality of care, but they have a dark side. Keeping a plethora of devices, each with its own firmware or software, patched and up to date can be a logistical nightmare. Yet unpatched devices can be an easy target for bad actors looking for a way in.
Employee Vulnerabilities
- Phishing emails impersonate a legitimate site or vendor (like Microsoft or Epic) and try to steal login credentials.
- Spear-phishing attacks use those stolen credentials to impersonate someone in your organization. The impostor will then attempt to scam employees into compromising systems or giving away resources.
- Bad password hygiene leaves passwords out in plain view or reuses credentials across various sites and systems, making it far easier for credentials to be compromised.
Ransomware Attacks
A ransomware attack is a cyberattack where bad actors gain control of a system or network and then lock the rightful users out, demanding they pay a ransom to regain access to the compromised system. These attacks generate a lot of fear. The prospect of permanently losing access to the data on the compromised device or system is often terrifying.
These attacks tend to occur through methods similar to the other topics here: attackers break into a vulnerable system or simply socially engineer their way in. Shoring up those avenues of attack will help lessen your risk of a ransomware attack, too.
