Medical Practice Billing Cybersecurity: Hackers Kick it Up a Notch
4 Sure Ways to Stay Ahead of Cyber Thieves
Medical billing professionals by and large go to great lengths to ensure that they provide a complete and positive patient experience for their practice or client.
However, one area of medical practice is often overlooked, creating a potentially large risk for practices and patients alike: cybersecurity – the security of patients’ personal healthcare information, or PHI, stored in the electronic medical record systems.
The healthcare industry historically leads in the number of security breaches per year where sensitive personal data is lost to cyber thieves. A recent Protenus report found that healthcare cyber breaches now account for 34% of all incidents worldwide, and have jumped 151% over the past ten years, reaching a pace of one breach per day in 2017. It’s evident that hackers continue to kick their efforts and sophistication up a few notches every year. Your challenge is to not merely keep up, but to stay ahead.
Why Do Cyber Thieves Pick On Us?
The short answer is PHI is among the most valuable data on the planet. A recent Trustwave report found that a healthcare record may be valued at up to $250 per record on the black market, compared to $5.40 for the next highest value record (a payment card). That’s because the medical record is the most comprehensive profile of a person’s identity that exists today.
So the bottom line is the bottom line. Cyber thieves are trolling for the most valuable information they can hack into, and PHI is toward the top of their list. While billing information alone may not top the charts in black market value, hacking into a billing system can be the doorway into the broader EHR, or may provide missing pieces of information that can complete a hacker’s profile.
High Risks, Devastating Outcomes
Cyber breaches are governed by the Office of Civil Rights, OCR, an office of the Department of Health and Human Services that oversees overall HIPAA compliance. Even a small breach can result in large fines – from hundreds to thousands of dollars per record – if compliance is especially weak or lacking. Required notification and remediation costs add an additional $148 per record. And no dollar figure can capture the sentiment of patients who lose confidence in their providers as a result of a cyber hack. This can be devastating to a group practice or service provider.
What You Can Do: 4 Sure Ways to Stop Medical Practice Cyber Thieves
While no system is completely impervious to hacking, implementing these four proven approaches will vastly improve your defense against cyber criminals, and will put you in a strong position for dealing with OCR and quick recovery in the unfortunate event of a breach or audit.
#1. Know Where You Are Now – Perform a Security Risk Analysis
As a minimum, obtain a reliable checklist that is comprehensive and HIPAA-centered, and complete a self-assessment. If your practice or firm is inexperienced in this area, a better option might be to hire an outside security company to perform a HIPAA security risk analysis.
#2. Create a Risk Management Plan
Document risks that come out of the security risk analysis, determine how they’ll be handled, and track progress of remediation efforts.
#3. Control External Vectors
In security lingo, a vector is a pathway used by hackers to infiltrate a target system. Here are a few key defenses against outside threats, or external vectors.
Move to a Cloud-based System
Leading cloud-based EHR/PM/Billing system vendors have invested millions of dollars protecting PHI, and many have dedicated security teams. It is virtually impossible for a small or midsized practice or outsourcer to invest sufficiently to protect data in an on-premise system.
- Sign Business Partner Agreements
This is a HIPAA requirement for any business partners you engage with, and helps protect you as a vendor in the event of a breach at your client.
- Plug Endpoint Holes
This includes encrypting laptops and other access devices, changing default passwords on routers and Wi-Fi access points, and securing kiosks and monitoring devices open to the public.
#4. Control Internal Vectors
In practical terms, you are only as safe as your least committed, least well-trained employee or colleague. Research shows that 53 percent of breaches originated internally.2 Here’s what you can do:
- Thoroughly Screen Employees
Background checks on all new hires and probing screening interviews.
- Provide Detailed, Ongoing Training
Employees must be thoroughly trained on types of cyber attacks, how to recognize them, and what to do when they encounter suspicious items. Ongoing policy review is a must.
Create a strong feedback loop where employees have the opportunity to ask questions, relate experiences, and share success that can help others throughout the organization.
Stay Ahead by Staying Ahead
Cyber criminal activity is at an all-time high, and is growing worldwide at an accelerated pace. Fortunately, the good guys have developed strong countermeasures and the ability to stay a few steps ahead. The key is to understand the risks, create a strong plan, engage the right experts and technology, and constantly train and upgrade employees’ understanding of what to look for and what to do. Now is the time to put a stake in the ground and notch up your own commitment. Stepping up your efforts should always keep you a step ahead.
Get the free eGuide: Medical Practice Billing Cybersecurity: Hackers Kick it Up a Notch.