The issue of cybersecurity often captures news headlines, thanks to high-profile data breaches and government efforts to combat both foreign and domestic hackers. But many people do not understand the threat that ransomware, phishing, and malware pose to individuals and businesses, particularly in the healthcare field.

Independent medical practices are obvious targets for cyberattacks due to their access to sensitive patient data. Criminals can make lucrative use of stolen personal health information—utilizing it for targeted scams that take advantage of a victims’ condition, filing fraudulent insurance claims, or illegally gaining access to prescription drugs for resale on the black market. So, what can you do to ensure your practice is prepared when an attacker tries to sneak in?

KNOW WHAT PROTECTION IS ALREADY IN PLACE

The biggest mistake many private medical practices make is thinking that their managed service providers (MSP) provide enough protection against the threat of attack. Firewalls and anti-malware software are part of basic information technology (IT) configurations; however, those two elements alone are not enough. For business owners to sleep well at night, it is important to understand what your MSP or IT company is doing to protect the confidentiality, integrity, and availability of your data.

Managed service providers can often implement controls that will improve the overall security posture of a business. However, owners need to ask specific questions to identify what security controls the MSP can provide and whether those controls are being used appropriately.

First, find out whether your MSP requires multifactor authentication for all employees. Requiring users to provide two or more identity credentials to access their network accounts greatly reduces the likelihood that company emails will be compromised. If multifactor authentication is not already the standard, ask your MSP to implement it immediately. (In a future issue of New Retinal Physician, I will further explain how to avoid business email compromise through multi-factor authentication.)

Second, how often does your MSP scan your network to identify vulnerabilities? If a critical vulnerability is discovered, how long before it is patched? Network scans should be run daily, and once vulnerabilities are identified they should be patched immediately. You can request a copy of your MSP’s processes for both scanning and remediating vulnerabilities.

Third, how often is your data backed up? Ransomware attacks are most impactful when backup data is either unavailable, or was not saved recently enough to meet the business’s needs. In the case of a retina practice, data should be backed up daily because, presumably, patients are seen every day. The backup should be stored at a location separate from the practice, where the original data is kept. Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) are the leaders in cloud storage, and most MSPs already use one of them. Knowing how and where your backups are stored is critical in combating ransomware.

Consider your own processes as well. Imagine that an employee with access to your company’s most sensitive patient data or financial information leaves or is terminated. Do you and your MSP have procedures in place to disable that person’s access on their final day of employment, or could their access remain active for several days or weeks? If access was not removed immediately, did that former employee access sensitive information after they were terminated? Ask your MSP to investigate this and, if necessary, implement protective measures.

EDUCATE EMPLOYEES ABOUT PHISHING ATTACKS

Another area where there is room for improvement is the way security awareness training is conducted. Most experts agree that the greatest threat to network security comes from inside the company. This is not to say your employees have bad intentions or want to cause a data breach. However, if staff is not properly taught how to detect suspicious emails, they may unintentionally click on links that can infect systems with ransomware or other malicious software.

Phishing attacks, as they are commonly known, occur when a would-be hacker poses as a trusted source, such as a financial institution, software corporation, or government agency, to gain access to sensitive information. Whether it be a password, credit card information, medical records, or an invoice, phishing attacks are by far the most common source of data breaches. The reason is simple. It costs nothing to generate these types of attacks, and one phishing email can be sent to thousands of recipients at a time, making the likelihood of success high. Therefore, it is vital to improve your approach to security awareness training to reduce the likelihood that a phishing campaign will be successful.

Annual online training is cost-effective and simple to implement. After the initial training, it’s useful to have a network security person occasionally send test phishing emails to your employees, without alerting them that they’re coming. Test phishing campaigns allow security providers to see who clicks on malicious links or provides sensitive information. With this knowledge, targeted training for the employees who were most susceptible to the phishing emails can be conducted. I have found that this sort of follow-up testing reduces the likelihood of success from a real phishing attack.

In addition to this type of simulated phishing campaign, there is added value in quarterly newsletters that detail recent and common threats to your industry, as well as in-person training on a quarterly basis to create dialogue and raise awareness with respect to these critical issues.

Although most MSPs and IT companies offer some level of security training along with their services, it is not enough. Most do not offer test phishing campaigns or targeted training, for example, so you would need to hire a third-party cybersecurity company to provide these services. The cost of additional training is nominal when compared to the cost of a successful phishing attack.

DEFEND YOUR SUPPLY CHAIN

Supply chain attacks have become another threat vector that leaves small and medium-sized businesses at risk. As is true in any industry, medical practices and retina clinics are heavily dependent on third-party vendors to provide critical services. Whether it be storing financial data, having access to the network, or performing a service critical to business operations, third-party vendors have become avenues through which attackers can breach your systems. It is important to know what each third-party vendor is doing to protect the information you share with them.

The risk posed from third parties comes in many forms. There are operational, financial, reputational, compliance, and strategic risks associated with the relationships with third-party vendors. Annual risk assessments on all critical third-party vendors are an important element in building a foundational cybersecurity program. This assessment should begin during the procurement process. Ask vendors whether they have any security certifications (SOC 2 and ISO 27001 are most common). Similarly, ask them the same questions you would ask your own MSP (eg, do they require all employees to implement multifactor authentication; do they run vulnerability scans and remediate according to industry standards?). Cybersecurity vendors can also conduct these annual assessments for your practice.

If you are a small or medium-sized business owner, investments must be made in cybersecurity, otherwise the likelihood of your practice being hacked increases every day. The assumption that hackers are using complex and technical methods to cause data breaches is simply not the case. Instead, most attackers look for holes in systems that they can exploit for financial gain.

The first step in building a better cybersecurity program is to view it as critical to business success. Ask the right questions of your MSP to understand if they are really following best cybersecurity practices or simply providing basic IT configurations. Invest in training your staff to make sure they are not the ones accidentally responsible for a data breach. Assess the risks that third-party vendors pose to your business. Take these first steps to make sure your practice is not the next one hacked. NRP

MR. BLUMBERG is the founder of Citadel Cyber Consulting LLC, a cybersecurity consulting firm that helps small- and medium-sized companies identify and remediate cybersecurity risks. He has over 10 years of experience in identifying security risks and has worked with the Centers for Medicare and Medicaid Services (CMS), NASA, several Silicon Valley startups, and a major national law firm. Reach him at scottblumberg@citadelcyberconsulting.com.