When was the last time you reviewed your cybersecurity policies? If you can’t recall, you’re overdue. Such policies are critical for protecting patient and other sensitive data in your network and reducing the risk of breaches that can cause reputational harm, costly recovery, and patient disclosure activities.

Recently, I spoke with Michael J. Sacopulos, JD, founder and chief executive officer of the Medical Risk Institute, about the finer points of cybersecurity policies and why orthopaedic surgeons should take them seriously.

Dr. Marks: Orthopaedic surgeons are so busy treating patients and dealing with coding, billing, and management issues. How high should cybersecurity policies be on their priority list?

Mr. Sacopulos: Very high. Mostly because the protection of patient data is what is at risk if they aren’t prepared. But also because 2017 was the “worst year ever” for cybersecurity incidents, according to the 2018 Online Trust Alliance’s Cyber Incident and Breach Trends Report. The number of reported breaches was nearly double that of 2016. And 24 percent of those occurred in health care. Sadly, most practices are unprepared to deal with cyberattacks.

Just five years ago, practices could probably take a calculated risk and set their cybersecurity policy development aside, but it’s too risky to ignore these days. The most common weak spots in health care are lack of written policies and procedures, insufficient training, and lack of a risk analysis, according to cybersecurity expert James Scott. All of these are preventable, and preparedness starts with a policy.

Dr. Marks: Which are the most important policies a practice should have in place?

Mr. Sacopulos: Essentially, it’s a set of three: a security policy, which is required under the Health Insurance Portability and Accountability Act (HIPAA); a social media policy; and a mobile device policy. I’m quite aware that policy development is not the most riveting activity. That’s why I find that parts of these policies, and in fact sometimes entire policies, are often missing in practices. But all three are essential to keeping digital data safe. Taking the time to create these policies is important. Without them, you have nothing on which to base your procedures for how staff should handle suspicious emails, network protection, or the appropriate destruction of data and devices. And that leaves you exposed to big risks—from data breach to identity theft to reputational harm. Preparedness is worth the effort.

Dr. Marks: Because the security policy is required by HIPAA, let’s address that first. What should be included?

Mr. Sacopulos: The security policy is the one that includes a laundry list of things a practice must do each year to protect patients’ Protected Health Information (PHI). To start, it should state that the practice completes an annual risk analysis conducted by a professional firm. Let me be clear, downloading a checklist from the internet and asking your manager to conduct the risk analysis is dangerous. Information technology (IT) is not your manager’s area of expertise, and he or she will overlook something. This is the wrong place to reduce expenses. Engage a professional IT consultant.

The security policy also includes things like an information system activity review, which is an assessment of who has access to which data and systems and why. Other components include password management, business associate agreements, system updates, and security incident procedures and contingency plans—the policy for how to respond to a breach.

Dr. Marks: What are the risks if a practice doesn’t have a current security policy in place? What’s the worst that can happen?

Mr. Sacopulos: First, because this policy is required under HIPAA, lack of one could result in fines. But the more probable fallout will be a nefarious digital event, such as a phishing scam that entices an employee to open an email that causes a breach. Phishing is the fraudulent practice of sending emails purporting to be from reputable companies in order to induce individuals to reveal personal information, such as passwords and credit card numbers. This is the cause of 43 percent of all breaches. By addressing this one threat with good policy, procedures, and training, you’ll decrease your risk significantly.

Other big risks include malicious email attachments that launch malware programs into your network and device theft, which is a very common way to steal patient data. Because 99 percent of the devices used by physicians and other clinicians aren’t properly secured, hackers can easily access the information they contain. Patient data are the Holy Grail for cyberthieves. On the black market, it can fetch $380 per record versus $141 per record for nonpatient data.

Mr. Sacopulos: I’d say a social media policy. I get more questions and requests from physicians about social media than any other type of cybersecurity or privacy policy. This one is important not only from a security standpoint but also for human resources management. The core of the policy is the professional and personal behavior of employees online.

Four best practices should be included in this policy. First and most obvious, employees should be restricted from posting PHI on any social media channel. Second, don’t allow any employee to provide medical advice or commentary of any kind or impersonate a physician or anyone else in the practice online. Third, you must prohibit employees from transmitting anything to which the practice doesn’t own the legal rights. I refer to this as the Jason Pierre-Paul (then-defensive end with the New York Giants who sustained a serious hand injury playing with fireworks on July 4) Common Sense Rule. Remember when Mr. Pierre-Paul’s hospital records were released on Twitter? Don’t let that be your practice. And finally, your social media policy should prohibit employees from endorsing any product or service or taking any political or lobbying action that could in any way reference your practice.

Dr. Marks: Those are terrific points. You can never be too careful when you consider what employees could post online that could harm patients or the practice. Let’s close with the third important policy: mobile devices. What are your recommendations for this?

Mr. Sacopulos: I really want to stress the importance of this one, given how many laptops, tablets, and mobile devices are swimming around the office and hospital. First, the policy should outline your security requirements for mobile devices. For instance, everyone who uses a mobile device on the job—whether that device is personal or practice-owned—absolutely must set up strong passwords. They should set a “go to sleep” (or timeout) of no more than 30 seconds and install remote-location and data-wiping features. There also must be requirements about data backup and encryption; whenever possible, all mobile devices with PHI should be encrypted.

The second vital component this policy covers is prohibited uses at work. For instance, employees should not store patient data on their devices or use “regular texts” to communicate with patients. Because HIPAA requires that all electronic communication be secure, physicians and staff should use a secure messaging system. Finally, to minimize distraction, the policy should prohibit the use of mobile devices to certain locations. It’s a risky idea to have devices that “ding” in places where invasive procedures or other patient treatments are being performed.

Michael R. Marks, MD, MBA, is an orthopaedic surgeon; editor of the Medical Liability Committee column for AAOS Now; senior medical director at Relievant Systems; a member of the AAOS Patient Safety Committee; and senior consultant with KarenZupko & Associates, Inc. He can be reached at mmarks1988@gmail.com.

References:

1. Online Trust Alliance: Cyber Incident and Breach Trends Report. Available at: https://otalliance.org/system/files/files/initiative/documents/ota_cyber_incident_trends_report_jan2018.pdf. Accessed January 11, 2019. Scott J: Cybersecurity Hygiene for the Healthcare Industry: The Basics in Healthcare IT, Health Informatics and Cybersecurity for the Health Sector. Self-published, 2015, p 22.
2. Ponemon Institute: 2017 Cost of Data Breach Study: Global Overview. Available at: https://www-01.ibm.com/common/ssi/cgi-bin/ssialias?htmlfid=SEL03130WWEN. Accessed January 14, 2019.