Pathology/Lab Coding Alert

Why? Most patient records are now kept on electronic servers, which means your providers may lose access to patients’ histories, details of past surgeries, documentation of allergies, information about existing diagnoses, communications with other providers, and much more. Practices may therefore need to cancel appointments or procedures, delay needed care, or hold off on prescribing important medications.

2. Any Size Practice Is a Potential Victim

Many practices think they’re too small to experience the type of cyberattack that hit Change Healthcare, but practices of all sizes have been victims.

A 2022 Sophos State of Ransomware report found that 66 percent of healthcare organizations surveyed reported they had been victims of a ransomware attack in the previous year. Also, the health sector was found to be the victims with the lowest ransom payments, which averaged under $200,000. (Source: https://assets.sophos.com/X24WTUEQ/at/4zpw59pnkpxxnhfhgj9bxgj9/sophos-state-of-ransomware-2022-wp.pdf).

This dramatic evolution in ransomware deployment requires a proactive approach to better securing data at your practice. IT and cybersecurity professionals need to take on a “when, not if” mentality to protecting your organization. By remaining vigilant against possible attacks, your cybersecurity team will help protect your organization’s bottom line.

3. Ransomware Is Just the Tip of the Iceberg

While data breaches and ransomware attacks garner headlines and news reports, traditional threats remain and will continue to operate throughout 2024 and beyond.

Threat actors have used these tried-and-true methods for years and will continue to do so:

• Phishing
• Exploiting remote access functions
• Exploiting known vulnerabilities, such as in legacy devices
• Compromising managed service providers

Educating and training your staff on everyday threats will help them stay aware and proactive against any incoming malware or devious tricks from threat actors. Plus, your cybersecurity team should enforce best practices to ensure your practice or organization is compliant and safe.

Effective cybersecurity goes beyond installing firewall software — it also involves the actions your organization takes every day. Essential best practices, such as security awareness, data protection, email protection, effective monitoring, patching, risk assessment, and incident response will also keep healthcare systems secure.

4. Older Technology Can’t Keep Up

Your practice may be avoiding installing security software to protect yourself from ransomware attacks because of the cost. In addition, many practices reason that they installed firewalls and enhanced security systems years ago, so they believe that they’re already protected.

However, legacy technology is almost never compatible with today’s cybersecurity needs, and these outdated systems leave your practice vulnerable to attacks. Your best bet is to consult with a healthcare IT privacy and security consultant who can assess what you need to keep your practice secure.

5. Practices Need an Incidence Response Team

Regardless of whether you outsource your IT security or have an in-house team, make sure you have a dedicated incident response team that’s ready to jump into action if you experience a leak, breach, or data hack.

As you determine who might be a good fit for the team, consider these criteria:

Staff the team with subject-matter experts. Whether you use in-house employees or hire an IT vendor, make sure your security incident response team knows the HIPAA Privacy and Security Rules and requirements. Make sure the team members are aware of where all the data is stored, has access to passwords, has an understanding of IT best practices, and is up to date on all the software being used at your practice.

Make communicating incidents a priority. Your team must establish open lines of communication with the other team members, practice leadership, staff members and even patients if breach notifications need to happen. The team should have response plans in place and should know who is handling each aspect of communication well before a breach occurs.

Identify auxiliary staff that need notification after a data security incident occurs. Your team needs to identify other points of contact who must be notified of any cybersecurity incidents such as an electronic health record vendor, a billing service, a network service provider, or any other business partners. Make sure you have a comprehensive list of who would need to be alerted to a breach, along with their contact information, so you have it on-hand when you need it.

Formulate a checklist of what the team’s objectives are. Your design plan should determine which services the incident response team is responsible for handling, such as education, awareness, notifications, information sharing, IT repair, and any other important tasks.

Offer periodic training and updates: Similar to managing your organization’s issues after your annual risk analysis, a security incident response team’s job is ongoing and evolves depending on threats and incidents. Your team needs to stay on top of testing for potential threats, training staff, updating and employing software, and more.

Torrey Kim, Contributing Writer, Raleigh, N.C.