You don't have to be technologically savvy to help protect your practice against hackers. Know what to watch for, then take these three steps to prevent the bad guys from gaining access to your systems and patient information.
Posted in Practice Matters on Friday, February 25, 2022
Roughly 34% of ransomware attacks [PDF] are perpetrated against healthcare organizations. The information a small practice has about their patients, especially those that take insurance, is extremely valuable. A single healthcare record can be sold on the black market fo roughly 50 times more than a debit or credit card number.
You May Think
“Why do I need to worry? I’m a cash practice. I don’t have much information.”
The trouble is, bad actors don’t take time to learn about your practice before they try to get into your systems. They shoot wide, benefitting if they catch just a few in their net.
“I’m just a small fry. Why would they go after me instead of someone with a big bank account?”
It’s more work for the bad actors to hack a big company. Larger companies have greater human and financial assets to protect themselves (although they don’t always have the wisdom to deploy their resources). In contrast, small businesses have a lot to do, but not a lot of time or money. Setting up processes to defend against hackers may not be at the top of the ‘to do’ list, leaving them vulnerable.
How Hackers Get In
By far, the greatest risk to your practice is you and your staff members. It’s very rare that bad actors can access your valuable information without the unintentional assistance of someone ‘on the inside.’ When you or your employee clicks a link in a phishing email or text, you’ve opened the door.
Beware of Suspicious Emails
One of the most common methods hackers use is to send an email or text that looks like it’s from a legitimate sender within or related to the company. The content is something enticing, or concerning. It might offer a bonus or gift card, or suggest the PTO policy is changing. The recipient will be instructed to click on a link, or open a file. The goal is to make the content something that can’t be resisted.
Once you click, without realizing it, you’ve granted access to the perpetrator. They now have the ability to infect your laptop with a virus or malware that steals your information, or encrypts your information so you can’t access it (ransomware).
Paying the Ransom Doesn’t Help
But wait, there’s more. Even if you pay the ransom, most victims never get access again. So not only are you out the cost of the ransom, but worse, you’ve lost access to your patient information: names, emails, health records, insurance. It’s all inaccessible. The time and cost of recovery is the most expensive part of the process, because it could take a month or more for you to be able to get the information rebuilt. And, you have to let your patients know their information was taken.
Here’s How to Protect Yourself
The consequences of not protecting yourself can be painful and expensive. The good news is, it only takes a few simple steps to help keep you and your practice safe.
- Install anti-virus and anti-malware software. At the very least, install anti-virus and anti-malware software on every web-connected device. There are a number of inexpensive options available for computers, tablets and smartphones. Many computers come with it pre-installed.
- Backup your system regularly. You should backup to at least two different sources. Ideally, one source will be cloud-based so that even if your offices are destroyed, you’ll have quick access to your records. The second source can be an external drive. Just be sure to remove the media (commonly tapes) to a safe location. Having backups is the number best thing you can do to fight back in a ransomware attack.
- Provide staff training. The third step is to stop hackers in the first place by preventing their ability to get into your systems. Statistically, 96% of companies hit by an attack had basic antivirus protection. The problem is, many employees aren’t trained to recognize and avoid a phishing scam. Set aside time to provide your staff (and yourself!) with basic cyber security training. Even one hour of training can save many hours of pain. Training can be a great way to educate the team about what to watch for and what not to do. There are numerous training options that are inexpensive but highly effective.
Your practice may not be a particularly valuable target, but even so, bad actors can make your life very difficult. Make time to establish protocols to protect yourself: the training, the processes, and the security behind the scenes. They are too important to ignore.