Defensive countermeasures for cyberattacks
by Cassi Price
June 25, 2018

Concerns with patient data privacy in the health care industry are growing. With the recent Facebook data scandal, consumers may be wondering whether their health data is safe.
How can home health and HME companies protect their patient data, to ensure patients feel safe sharing private information with them? Do we just have to live in a world where our privacy is at risk each time we share something with our health care providers?

Unfortunately, these are the questions concerned business owners are now asking on a daily basis, but all is not lost. As Jared Hughes, information security analyst of VGM Secure Tech shared, “Our world hasn’t fundamentally changed. The only thing that has changed is awareness of risks that already exist. Defensive countermeasures are readily available for every cyber risk that appears in the news.”

To uncover these defensive countermeasures, read what the experts had to say in the areas of education, technology and compliance for home health and HME companies.

Education

Hackers Hack People, Not Systems

“Ninety-one percent of cyberattacks start as a phishing scam that is intended to trick users into revealing personal information or downloading malware,” said Megan Kraft, inside sales and customer service manager of VGM Education. “Knowing this, it is imperative that companies are training their staff on what to look for. Employees can either be our biggest weakness or greatest strength when it comes to security, and training will be that differentiator.”

Educate and Re-Educate Employees

“Treat patient health information as though it were your own. Social engineering and ransomware are the vectors of choice targeted toward staff in the health care industry. Educate and re-educate your employees on current tactics they should be on the lookout for. If trained regularly, they can be an additional line of defense,” said Carol Albaugh, technical solutions consultant for VGM Secure Tech.

To get you started, here are three areas of focus for employee training:

  1. Ensure that your employees know the potential impact a cyber-incident may have on business operations, and have specific rules for email, web browsing, mobile devices and social networks.
  2. Include cybersecurity training during onboarding activities for new employees.
  3. Make training useful, relevant and responsive to real-world examples during regular intervals throughout the year.

Kraft recommends creating a culture of secure work within your organization—display security posters around the office; train your employees on the importance of password management; let employees know about the latest threats when they arise. Once training is locked down with your employees, you can start to focus on helping your patients protect their own data.

Keep Your Digital Patient Filing Cabinet Triple Locked

Christina Throndson, vice president of VGM Forbin, describes how your business’s concern for patient data online should be handled with as much care, if not more, than the care you take in securing physical patient files.

“HIPAA compliance is nothing new for the offline or online business operation. However, with the increase in communication by consumers online creating even more opportunities for a potential data breach, and the continuously evolving landscape of preventive measures changing every day, many business owners can be left feeling lost,” Throndson said.

Two perfect examples of what Throndson is describing are: the newly implemented General Data Protection Regulation (GDPR)—a regulation in European Union (EU) law on data protection and privacy for all individuals—and the use of online user data in the Facebook Cambridge Analytica scandal. Both have drawn a lot of attention, fear and awareness as to what the requirements are and whether proper steps have been taken and communicated in regard to consumer information.

What should you do? Start by looking at how and where you are communicating with your patients, and what methods you are using. Then make sure you are implementing the standard privacy and HIPAA requirements in all areas. Are the platforms you are communicating within secure? Do not rely on others to secure your patients’ data. If you are uncertain of the security of the platforms you are utilizing, step back and do your research to ensure the platform is up to the latest industry standards.

Next, for compliance with GDPR, determine whether you have the consent of your patients to store their information and for what purposes. Is the system you utilize transparent with the preferences they have consented to? These requirements, to date, have only been regulated by EU law. However, this is a law that could apply to your business now, depending on your audience, and could be something we see for U.S. residents sooner rather than later. Even if you are not currently so required under GDPR, this doesn’t remove the necessity to consider these standards of privacy and security for your business.

Continually ask yourself where sensitive data is stored, communicated and used, and whether it is secure.

Taking additional security measures will protect your patients and your business. It will also build credibility for your business in the areas folks have been trained to look, including SSL/EV SSLs, GeoTrust badges, consent requests and other data requirements.

To make your online data collection points secure, Throndson recommends the following steps:

  1. Find a trusted resource in web development.
  2. Take stock of where your points of collection are and how you’re currently handling data collection.
  3. Test, if necessary, against GDPR and HIPAA standards.
  4. Tell your patients what data you collect, and how it is collected.

Technology

Securing IT Infrastructure

“Overall, health care companies need to take a hard look at all the risks that compromise their data. It has never been more important for small and medium business owners to be proactive in understanding threats to their business and invest in security strategies to protect their data and decrease their overall risk,” Albaugh said.

When it comes to investing in security strategies, Albaugh highlights five key areas of priority that, according to Security Magazine, only 31 percent of small businesses are using to take active measures against security breaches. These priority areas are:

  1. Updating and patching software
  2. Installing a smart firewall
  3. Taking control of your user access in rights and monitored activity
  4. Scheduling third-party reviews
  5. Using encryption to protect your devices

Compliance

Conduct a Stronger Security Risk Analysis

Another great resource was highlighted by Wayne van Halem, CFE, AHFI, president of The van Halem Group. “I would suggest to any home health and HME business owner that they conduct a comprehensive security and risk analysis.”

The HHS Office for Civil Rights provides a security risk analysis tool that might be helpful, van Halem said, and is compiling results of audits conducted. A majority of providers did not conduct an adequate security risk analysis (SRA) as required by HIPAA.

So how do you remain compliant when it comes to your HIPAA security risk analysis?

“There is a wealth of resources available to providers to assist in the SRA process. I think an error many providers, particularly smaller ones, make is thinking they can do it alone; they think they are doing enough to get by or they think they cannot afford outside assistance or guidance,” said van Halem.

“However, just like there is a wide variety of resources, there’s a wide variety of options and pricing, as well. I am a firm believer that there are experts out there that should be utilized and people shouldn’t be afraid to ask for help, regardless of your knowledge or the size of your practice. In fact, you might learn that your practice might be exempt from certain requirements because it’s cost prohibitive or your practice size is too small. If you think you need help, you owe it to yourself to at least do some research and find a partner that could help assist in this process,” van Halem said. “Even the most knowledgeable and experienced compliance professionals need to turn to outside experts on occasion.”

Next Steps

The Responsibility Is Yours

Now that industry experts have offered ways to improve business cybersafety practices, it is important to remember:

  • You are not alone.
  • Securing patient data is your responsibility.
  • Find a trusted resource for all your questions and concerns.
  • Follow all patient data security developments as they happen.