6 mins
How can medical practices reduce the risk of cybercrime
Understanding risk: How can your medical practice reduce the risk of cybercrime?
The topic of security isn’t a new one, but since so many large, well-known businesses have been caught up in cyber security breaches it’s become top of mind for a lot more people.
What can medical practices learn from these incidents? What are the impacts of not managing your cybersecurity risks? What are the practical ways practices can reduce their risk when taking payments or managing data generally? These questions were tackled recently at the Talking HealthTech Spring Summit. Read on to find out more.
What can businesses learn from these incidents?
Security is not just important to large businesses. According to SecureTrust: 71% of cyber-attacks occur at businesses with less than 100 employees.
Helen Flaherty, Ezidebit’s Head of Product has been designing and leading software product development for over 20 years, mostly in financial services but also in health. She has this advice for businesses:
“It’s easy to think if you’re small you’re not a target, but that’s not the case. For example, we have research that shows that 40% of Australian SMEs have fallen victim to cyber attacks since the pandemic. It’s definitely an ongoing threat and something that needs to be considered as part of running your business.”
Unlike larger businesses, small to medium businesses run the risk of closing their doors if they are impacted by a breach - in fact 80% of small businesses that suffer a breach go out of business after 18 months.
The health sector is particularly vulnerable. Increasing use of technology (eg. wearable medical devices, telehealth services and electronic health records) has resulted in more health information being stored and transmitted electronically and cybersecurity awareness in the sector has not always kept pace.
According to panel member Brenden Conolly, who is the Group Chief Technology Officer at Citadel/Genie Solutions, the main things businesses need to understand are:
-
The time between vulnerability and exploitation is very quick as we recently saw with the Optus and Medibank breaches
-
The onus on business and associated penalties are likely to rise and the government is talking about fines of up to $50M
-
Managing both the investigation and the public communications around a breach is key (therefore, it’s important to be prepared before you experience a breach)
-
Technical breaches are just as likely as people related ones
“When the rubber hits the road it’s all about being prepared should something happen,” said Brenden.
“The timeliness of communication with agencies, patients and customers is critical.”
What are the impacts for medical practices when they experience a security incident?
“The key message for any business, including medical practices is that if you don’t manage your cybersecurity risks, you’re at risk of fraud and chargebacks from a payments perspective,” said Helen.
Chargebacks occur when a cardholder disputes a purchase. This can result in a loss of income for the business if stolen credit card details are used to pay for a transaction.
Other consequences for companies that don’t adequately manage their cyber risk include government penalties and possible litigation. For example, with the recent Medibank cyber attack, the reported estimated costs continue to increase and at the time of publishing are close to the billion dollar mark.
Brenden added that reputational damage is something that many businesses fail to come back from - the loss of consumer confidence is just too strong.
Additionally, cyber security insurance cover for businesses is going to become increasingly expensive and may even be difficult for businesses to acquire in the short term. Providing evidence of planning for breaches and mitigation strategies will be crucial.
Another impact that is critical to consider is the impact on your people - and how they feel being entrusted with sensitive data if they end up being caught up in an incident.
Challenges for smaller practices
The most obvious issue for smaller businesses is a lack of awareness of the risks and access to specialist IT staff who know how to manage and mitigate these risks. If you’re a new medical practice, there are many other things to consider in setting up your business with cyber risk likely to drop to the bottom of the list.
Brenden, outlined some of the challenges he and the Genie team see when working with practices.
The options can be overwhelming with what you need for your business and leveraging trusted professionals is key.
“For example, at Genie we have our team of certified IT advisors who deal with this stuff day-in, day-out and can advise practices and there are other advisory services out there. It’s a complicated landscape.”
It’s pretty obvious that many practices are unsure about their ability to deal with a cyber attack - and this was confirmed by the pre-summit poll conducted by Peter Birch at Talking HealthTech.
Hygiene factors practices should consider
It’s important to treat data as an incredibly valuable asset that attackers want to steal from you. You need to understand the scope of the data you have that’s vulnerable to attack and limit this to what’s essential to help patients, manage your practice, take payments and be successful as a business. For example, we saw with the Optus breach that they had data that they didn’t need to support their business.
“You need to be almost ruthless about what you need to keep,” said Brenden. “Additionally, you need to be aware of your obligations under the various acts around this - including privacy principles. This includes things you have to do and also things that you have to not do when it comes to protecting peoples’ data.”
From a payments perspective, Helen had some good advice.
“There are twelve core requirements for payment card industry data security compliance. These overlap with general IT security management actions you should be doing in your practice. This includes secure storage of data, understanding who has access to that data within your network and putting in strong access control methods such as passwords.
Think of it as a shared responsibility between how you run your practice and environment in your control versus the vendors you use/integrate with such as Patient Payments by Genie Solutions.
The PCI DSS requirements:
Build and maintain a secure network
1. Install and maintain a firewall configuration to protect cardholder data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect cardholder data
3. Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a vulnerability management program
5. Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement strong access control measures
7. Restrict access to cardholder data by practice need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly monitor and test networks
10. Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an information security policy
12. Maintain a policy that addresses information security for employees and contractors
Practical ways practices can reduce their risk
For Helen, the number one thing is awareness.
Make sure you work with trusted partners, such as Ezidebit when managing your payments and using the latest security tools such as multi-factor authentication and biometric identification.
Make sure you train your staff - they can be the easiest target for cyber criminals. Whether it be phishing emails or downloading malicious links, awareness and training are key.
If you’re a small or medium company that lacks resources, managed security services and service providers are options to consider using for both prevention and incident response. This makes economic sense for many industries and practices that don’t have (or can’t afford) the internal expertise or capabilities to manage increasingly sophisticated breaches.
Ezidebit has been running the Merchant Trust Initiative (MTI) for around four years to help our clients improve their cybersecurity and maintain compliance in regard to card payment data they collect, transmit and store. The MTI offers a range of enterprise-level online tools including anti-virus, remote access security, point-of-sale device monitoring, mobile security, and more to improve security within your practice.
Brenden added that encryption and backup of files is also important. Cloud solutions can be powerful as cloud vendors spend significant amounts on mitigating risk, and have a shared responsibility across that risk. This can give you more comfort than you may get from other types of software vendors.
What is the future of risk and security for practices?
Brenden’s final words of wisdom:
-
Security is an arms race. Keeping on top of it is incredibly difficult. In the near future, security will become more and more about automation. Business owners won’t be able to physically keep up so using automated tools and processes to protect yourself and your business will be crucial.
-
Cloud will inevitably take a larger role and this will be a positive change as investment in cloud solutions will generally lead to earlier releases of solutions.
-
This will equally apply to using ‘software as a solution’ (SaaS) providers who are often building with security in mind. This substantially reduces the risk and footprint of potential security concerns, compared with building a software solution onsite.
From a payments lens, Helen advised:
-
We can expect more change. This is not going away. With more legislation changes coming, we need to be on top of it and look at ways to help practices manage risk every day.
-
It’s important to have the right partners and relationships to share responsibilities to help you navigate and reduce the risk burden on your individual practice.
-
Cyber crime is growing exponentially each year and so are the risks to practice, organizations, and consumers. PCI compliance and making the most of the advanced cyber security tools available to you can help mitigate the risks. The risk of non-compliance is too big to ignore
About Talking HealthTech
Talking HealthTech features content and community for those wanting to learn and connect about technology in healthcare. To join the conversation or find out more visit https://www.talkinghealthtech.com/