Practice Notes

What all medical group leaders must know about cybersecurity

by Ernie Hood and Hamza Hasan

Uninformed providers and frontline staff pose a cybersecurity risk to your organization. As an industry, health care experiences the second-highest rate of cyber incidents (after the finance and insurance industry).

To put things in perspective: the CIO of the Department of Health and Human Services (HHS) estimates the department faces "500 million cyber hack attempts each week." Further, the WannaCry ransomware of May 2017 infected computers and networks around the world, causing significant harm to leading hospitals and clinics.

With all these threats, health care organizations have made substantial progress when it comes to maintaining rigorous IT security. But for most leaders—particularly medical group leaders—more work remains. Here's why: Email and internet remain the most likely vectors for a cyberattack, which makes frontline providers and staff among the primary weaknesses in your IT network's security.

Here are seven things clinical leaders need to know about their role in preventing a cyberattack from affecting their practices and patients:

  • Keep personal and business email separate. Mixing personal and business emails makes it less suspicious when you get an email that appears to be from your bank, the IRS, UPS, FedEx, a friend, etc. Hackers have become very sophisticated at creating emails that look legitimate and try those spoofs frequently.
  • Hover over links before clicking to see if it's a web address you trust (or at least the address you expect). It's hard to train yourself to do this but hackers are very good at hiding their malware links now. If you do not recognize a website in a link, do an internet search about it before you click.
  • Do not open attachments without checking the source first. Attachments and links are the primary entry points for malware. The attachment itself may look innocent—a Word document, a PDF, a Zip file, etc.—but it can contain hidden malware. If you get an attachment you did not expect, be suspicious and check out the sender before opening.
  • Know what to do if you click on a link or open a file you shouldn't have. Seconds count in this situation. The best way to limit the damage is to immediately disconnect from any network and power down your device.
  • Make sure you know how to function during a downtime. If you do get hit with malware, your practices will have to function on manual procedures. Be prepared for this. Providers and staff should understand what to do and have the supplies they need. Practices should also have plans to keep functioning during an extended outage, just like for a natural disaster.
  • Keep your systems up to date. WannaCry is a good example of how malware exploits known flaws in common systems (in this case Microsoft Windows). Microsoft issued a patch before WannaCry went public, but many organizations and individuals failed to update their software. This same logic applies to personal devices such as smart phones, tablets, and home PCs.
  • Do not blame the victim. A common tendency when something like WannaCry happens is to blame someone; often the individual or the IT department. Keep in mind that they're victims too. Blaming and shaming only causes reduced communication and inhibits an effective response.

When a cyberattack occurs, the whole hospital is our patient

Health care organizations are under attack. Vicious threats like ransomware can significantly disrupt or even shut down clinical and business operations at a moment’s notice. While the implications of cyberattacks are often unknown to health care leaders, clinicians, and staff, they are used to handling critical incidents in patient care. Luckily, the process for handling a cyber incident is nearly the same.

Get the Infographic