Hello again! After a long absence, I’m back to the blog.
As health care providers, we all know that securing the sensitive information on your patients is mandatory and heavily regulated by HHS through the HIPAA laws. If you are using certified software, the vendor is attesting that the patient data is safe, secure and is HIPAA compliant. However, if you are not using certified software to keep track of any PHI (protected health information), you are most likely not compliant and at risk of a data breach.
The simplest definition of HIPAA compliant patient data is that it is encrypted at rest and in transit. If you are a server-based office, the only time the data would be in transit is during backup. As long as your backup provider certifies encryption, you should be good to go.
However, many offices who have cyber problems do not have any attacks on the practice management software. It’s all the other functions being used in the office that cause vulnerabilities that the hack nation takes advantage of. Here are a few key ideas to help you shore up your defenses.
Hacking is a business
There are commercial sites on the dark web (yes, that is really a thing!) where the criminally inclined can purchase all sorts of malware. These range from outright purchase of specific types of identifying information that was stolen from other sites (like SS numbers, e-mail addresses, passwords, web browser history, etc.) to programs that can be used to penetrate your existing defenses and take up residence in your computer. Zeus, for example, is a widely used commercial Trojan that can export all of the information out of your computer to a remote host without you knowing that anything is wrong.
These software systems are bought and sold using untraceable cryptocurrencies on a world-wide market.
How they get in
The most common way is “phishing,” which is getting you to click on a link in your e-mail that looks like a legitimate communication, but is actually an invitation to install malware. This can also show up in a website that you are re-directed to. You may think that you would never click on a suspicious link, but the click rates are surprisingly high, mid-single digit percentages.
These can range from a warning from your anti-virus software that you need to update your codes, to notification from your bank about updating security questions or that a wire transfer failed to go through. Installation of the malware is very fast and the subsequent data theft is usually in packets, so you may not even realize your data is being exported. It will typically not crash your system, because the bad actors cannot squeeze you for more money.
What they want
Almost any aggregated information can be packaged and sold to identity thieves and other hackers. This is the most common use of stolen information. E-mail addresses are worth money. Owned and in-use computers are worth money. W2’s are worth money.
Hackers may also install ransomware onto your system, where the system will be shut down unless money is paid to a specified receiver. Payment of the ransom naturally does not ensure that your system will be restored. You may be subject to increasing demands or complete crashing of your system even if you pay them.
Defeating all attacks at 100% is a lofty goal indeed. Here are some simple steps to put in place with routine interactions:
- Use two step verification for webmail. You can tell your e-mail service to require you to put in a texted 6 number password if you sign in from an unknown computer. This does require you to have your cell when you are doing e-mails, but it’s a minor nuisance.
- Tell your e-mail program to notify you if anything is being forwarded. This will prevent hackers from sending fake bills with “new” bank accounts and pushing the legitimate bills into the trash.
- Use phone confirmations when possible for financial transactions. Talk to your bank if suspicious financial requests or interactions come into your e-mail box.
- Set your remote access devices to require username and password and some sort of bot-defeating software when logging in from an unknown device. CAPTCHA is a commonly used verification system.
- Be very selective who you grant remote access to in your employee base.
Talking to your staff and anyone that has access to the company e-mail platform is crucial for gaining critical thinking skills on this subject. The simplest rule is: if you are not sure what you’re looking at or you don’t know, don’t click on anything! Your IT vendor should be able to help you set up and to review these concepts with you. Getting ahead of this curve is smart business. Once the damage is done, it can be difficult and expensive to restore.