Managing Your Security As Cyber Attacks Intensify
The cyber attack on Change Healthcare earlier this year resulted in a tsunami of issues still impacting critical components of digital healthcare delivery, from insurance eligibility verifications and pharmacy operations to claims transmittals and payment. Even months later, pharmacies have been unable to transmit insurance claims and now have significant backlogs of prescriptions that cannot be processed.
Once discovered to be vulnerable, any organization is vulnerable to other attackers taking advantage of the situation. Proving this point, Change Healthcare, a subsidiary of UnitedHealth Group, was hit again in April. This time, a different cyber attacker group reportedly stole four terabytes worth of patient data—that’s a massive amount of potentially compromised sensitive and financial information. The cyber gang is threatening to sell the data if a ransom isn’t paid.
Organization Or Practice Size Doesn’t Matter You may think cyber criminals only attack the big organizations, but that’s not true. Attacks can happen on businesses of every size, crippling operations and draining bank accounts. You need to implement proactive measures to ensure continuity of patient care and better protect patient data and trust.
Does Your Practice Understand Security Risks
As with any attack mitigation efforts, understanding the key vulnerabilities and strategies to mitigate them is the first step. Here are three key areas to check first:
1. Unauthorized Access
- Risk: Unauthorized users gaining access to sensitive patient information or modifying records. Reports indicate the cyber gang used compromised credentials on an application that allows staff to remotely access Change Healthcare systems.
- Mitigation: Implement measures such as multi-factor authentication and role-based access control to limit system access only to authorized personnel. Multi-factor authentication protocols include use of text-message codes or access tokens keyed to individual users.
2. Data Breaches
- Risk: Patient data breaches can lead to compromised confidentiality and privacy, along with the risk of crippling fines and reputation loss.
- Mitigation: Encrypt data both at rest and in transit to prevent unauthorized access with, for example, fully HIPAA compliant email. Configure “ransomware resistant” backup to enable a quick recovery in the event of an attack. Regularly update security protocols and conduct vulnerability assessments to identify and address potential weaknesses. Employ Business Associate Agreements (BAA) with third party vendors and organizations to ensure their security measures are HIPAA compliant.
3. Phishing Attacks
- Risk: Phishing attacks have grown increasingly more sophisticated over the past few years with more than 90% of cyber attacks starting with a malicious email. And the healthcare industry is a primary target.
- Mitigation: Educate employees about recognizing and avoiding phishing attempts through regular training sessions. Implement email filtering systems or secure HIPAA compliant email to detect and block suspicious emails before they even reach the inbox. Utilize HIPAA-safe email that prevents unknown parties from emailing and spamming you directly.
The Change Healthcare cyberattack highlights the interconnected nature of digital healthcare systems. An attack on one component can have far-reaching consequences across an entire network, disrupting operations and compromising patient safety. Electronic prescribing, billing and claims are specific examples.
There are a lot of measures you can take to ensure the safety and security of your practice’s infrastructure and the sensitive data contained within. While no measure is foolproof, implementing risk mitigation efforts is required not just by law, but through your commitment to your patients, your team, and your practice.
VDA endorses multiple products to keep your practice safe and operational. It’s worth noting that healthcare providers who use VDA-endorsed iCoreRx ePrescribing software from iCoreConnect, were not impacted by the attack on Change Healthcare. iCoreVerify, also endorsed, automates insurance verifications for you. iCoreConnect’s team is prepared to review, revise, and advise, to help you ensure HIPAA compliance and healthcare security are fortified in all business facets of your practice, including HIPAA-compliant email with endorsed iCoreExchange.
Book a demo or call 888.801.7706 to learn more. Member discounts apply.