Published 4/1/2019
Michael R. Marks, MD, MBA

Four Tips for Avoiding Data Breaches

According to a new report by Radware, a provider of load balancing and cybersecurity services for data centers, the average cost of a cyberattack now exceeds $1 million. Furthermore, 37 percent of the organizations that have been attacked experienced subsequent damage to their reputation.

I asked Michael J. Sacopulos, JD, founder and president of Medical Risk Institute, to provide some practical approaches for minimizing risk of breaches and costly cyber fallout.

“Preparing for a security breach is kind of like playing poker in Vegas,” said Mr. Sacopulos. “Maybe you’ll get lucky and avoid a breach. Maybe you won’t. But unlike Vegas, you can increase your odds of success by preparing.”

He offered four steps practices can take to decrease their odds of a breach. The steps focus on the most problematic areas.

  1. Step up your cyber hygiene

Much like scrubbing before surgery to avoid infection, cyber hygiene involves training staff and preparing systems to avoid malware or ransomware. According to Mr. Sacopulos, the most overlooked component of data security management is staff training.

“Ninety percent of the big risks are the result of staff getting tricked by a phishing email or making some other security mistake,” he said. “Practices can significantly reduce their risk by simply training staff about the common causes of breaches, how to spot nefarious emails, and what to do if they suspect an email is potentially dangerous.”

Mr. Sacopulos described an eight-provider surgical group whose system was infected with ransomware after a receptionist clicked on a link, which embedded malware into the network. “The ransomware had hibernated for about four months,” he explained. “It’s common for these attacks to have a time separation between cause and effect. The malware waits to manifest so that it can bypass the practice’s electronic safeguards. It often waits to install itself in a future update.”

The practice had not trained its staff on how to identify malicious emails. Thankfully, it had insurance to help with the cost of the aftermath, and the damage didn’t involve all patients. “It was relatively limited to a specific area of the system. But it could have been a lot worse,” Mr. Sacopulos said.

Mr. Sacopulos recommends that practices remind staff continuously and send occasional emails “that don’t look right” to keep the issue of phishing top of mind. Just as physicians participate in continuing medical education, it is important to have ongoing education for staff.

“Cyber training is not a ‘one and done,’” Mr. Sacopulos warned. “You have to keep people’s antennae up.”

  1. Monitor unauthorized access

Most people think of security threats as external. But sometimes the enemy is within. “You could have an employee looking at records and selling the information to others,” said Mr. Sacopulos. “I’ve worked with multiple organizations where that was the case.”

To reduce this risk, practices should lock down patient data to only those who need the information. For example, the marketing director doesn’t need access to electronic health records (EHRs).

Business associates are a second possible threat. Mr. Sacopulos suggests reviewing the account permissions of each business associate on an annual basis to make sure no one has access to data they shouldn’t.

“We know from breach statistics that despite the Health Insurance Portability and Accountability Act regulations, a majority of business associates aren’t performing annual risk assessments or training their staff about privacy,” he said. “That puts a practice at risk.”

Former employees can also be a threat. “It’s troubling how many practices let someone go and fail to terminate their login credentials,” Mr. Sacopulos said. “That should be done at the time of their dismissal.”

He added that it’s not just computer system credentials that must be severed. Sometimes it’s access to physical data. “I advised a practice that stored old records in a facility that used combination locks. The practice hadn’t changed the combination in many years. Former employees still knew it and could get in,” Mr. Sacopulos said.

  1. Insist on unique passwords

In the August 2018 issue of AAOS Now (“Password Security: OpenSaysMe”), Mr. Sacopulos and I covered the essentials of password security. Because it is such a big issue, it bears repeating. According to Verizon’s annual Data Breach Investigations Report, more than 60 percent of confirmed data breaches involved leveraging weak, stolen, or default passwords.

“The most popular passwords in the United States are still ‘password’ and ‘12345,’” said Mr. Sacopulos. “Practices must insist on one password per user. Period. No negotiation. Insist on strong passwords that include symbols as well as upper- and lowercase letters. Birthdays and telephone numbers are not clever or sufficient. Treat passwords like underwear: Change them frequently, and do not share them.”

  1. Audit employee and business associate access

One of the reasons each person at a practice should have a unique username and password is so the practice can track user behavior and access.

“Review user activity logs by password to identify when users log in and what they are looking at,” Mr. Sacopulos advised. “That’s important for limiting the potential of data being viewed or accessed by the wrong person.”

System permissions allow a practice to limit what a user can do and see. But Mr. Sacopulos often finds that permissions aren’t configured properly and that most employees have access to much of the data in the system. If you suspect that is the case in your practice, talk to your manager.

“There are ways to conduct simple audits without purchasing special software, such as the tools the hospital probably uses to monitor usage,” Mr. Sacopulos said. “For example, if your practice is open Monday through Friday, check the audit logs to see if anyone is getting into the system at 8 p.m. on a Friday or over the weekend. It might be a physician finishing up record review in the EHR program. However, it might also be a billing staffer who shouldn’t be in the system at that time.”

Another sniff test can be done according to the volume of records a user accesses. “If you find that one user is consistently reviewing 350 or 500 records a week when everyone else is looking at 125 records, something is up. You must investigate why that user is looking at so many records.”

Mr. Sacopulos admits these are crude metrics. However, they are low- or no-cost ways for practices to determine whether something suspicious might be going on, so they can focus their attention on a solution.

In conclusion, don’t keep your head in the sand; take these four tips to heart to help prevent data breaches.

Michael R. Marks, MD, MBA, is an orthopaedic surgeon; editor of the Medical Liability Committee column for AAOS Now; senior consultant with KarenZupko & Associates, Inc.; and senior medical director at Relievant Medsystems. He is also a member of the AAOS Patient Safety Committee. He can be reached at mmarks1988@gmail.com.