February 26, 2016
I have fond memories of playing a board game called Hungry Hungry Hippos in my younger days. Children would drop small white marbles onto a game board while furiously slamming their fists on a small, plastic, hippo-shaped lever. The hippos’ mouths would chomp at rapid speeds in attempts to capture as many marbles as humanly possible.
Today’s medical practices mirror the chaos of the game. Each day seems more hectic than the previous with visiting patients, emergency calls, demanding doctor schedules, medical billing and coordinating with insurance companies…all while trying to maintain a timely waiting room experience.
And each aspect of this chaos creates real-life white marbles—little snippets of personal data that need to be captured and secured…credit card details here, personal medical histories there; social security numbers and health insurance policy details collected a moment later…
Despite all of the confidential data medical organizations house, compliance and security are never top of mind in the field.
The harsh reality is that these offices and hospitals just aren’t ready to secure those white marbles and win the game against their sneaky opponents—the hackers. Cybercriminals are more than ready to swoop in, click the lever a few times and collect all of the marbles when the organizations’ backs are turned from the game board.
I recently had the opportunity to attend a social event with some of the top surgeons in my local community. My wife works in the medical device field and scheduled a networking event with her most established clients, and of course, I volunteered (was forced) to attend.
I jumped at the chance to rub elbows with top surgical talent, but I also had another agenda…I wanted to take this one-on-one time to pick their brains on compliance and security and see how’d they’d fare in the fight against hackers.
Now, face time with a neurosurgeon is slim so I had to pitch my opening line to gain their attention and keep them engaged.
My brilliant opening line:
“How do you protect your patients’ personal data?”
It’s a simple question at the core— but the responses were astonishing:
“We have antivirus.”
“We take a HIPAA training course every year.”
“We don’t store personal data.”
“I think we have an IT guy for this.”
These answers don’t even scratch the surface of everything I heard, but it was all equally surprising and telling of the importance of protecting patient data—and how little medical professionals really know about today’s threat landscape.
When I asked if they were worried about a breach of said data, the majority replied:
“We are just a small office. We’re not a target.”
I was talking with an orthopedic surgeon that has around 60 employees and roughly 40-50 patients that pass through his office daily. Even he had the “Breaches happen, but they won’t happen to us” mindset.
Sure it’s usually the healthcare giants like Anthem, Excellus or Premera that make the breach headlines. But just because hackers can mine larger troves of data from the big guys doesn’t mean smaller practices are in the clear.
Cybercriminals know these offices are often barely secured (or left completely unprotected)...and that they still house sensitive medical, financial and personally identifiable information.
In fact, only 33 percent of healthcare organizations agree they have sufficient resources to prevent or quickly detect a data breach. This means that hackers don’t have to try very hard to compromise almost 2/3 of medical practices in order to pocket their marbles.
So, what can you do to protect your patients’ data and comply with regulations such as PCI and HIPAA?
Here are the most essential tips to help you stay ahead in the security game:
1. If you interact with credit card data, personal health information (PHI)/ePHI, you need to be HIPAA and/or PCI compliant.
It’s as simple as that.
2. If you accept any form of credit card, you will be required to be PCI compliant.
PCI compliance is based on the number of transactions processed annually along with processing methods; this will dictate what level of compliance you require.
Most merchants will be required to complete a self-assessment questionnaire, which is used to set a standard level of security.
3. Purchase a commercial grade firewall.
Do not rely on your local Best Buy associate to recommend the latest off-the-shelf option.
4. Create a network segmentation security plan
Create a network segmentation security plan at your office/hospital that segments credit card information, patient data, security cameras, etc. Each segment should not be accessible and should maintain a secure Wi-Fi connection.
5. Lock down external-facing websites such as Facebook and Gmail.
The weakest link in the security chain is, and will always be, humans.
6. Invest in high quality antivirus.
Do not be fooled by free versions. Spend the additional fees and implement a quality solution.
A good security plan can be overwhelming at first, but with the right knowledge and expertise, it can be simplified and managed to reduce the exposure of your practice or hospital and limit the amount of risk.
No matter how small your organization is, you should still stand up against the hackers. Stay hungrier. Don’t let them come in and win the whole game.
No security plan is foolproof, but ignoring compliance standards and security posture is foolish.